Compare commits

...

578 Commits

Author SHA1 Message Date
Calum Grant
ca5e0cf378 Flame graphs specify parent/child structure 2023-02-22 10:57:50 +00:00
Calum Grant
844fc617aa Fix 2023-02-22 10:07:43 +00:00
Calum Grant
2b91dfb908 Added a series column to the chart data 2023-02-22 10:01:41 +00:00
Calum Grant
dc2eada781 Fix formatting 2023-02-22 09:56:30 +00:00
Calum Grant
db5cc73754 Remove comment 2023-02-22 09:32:35 +00:00
Calum Grant
10d26d4f9d First draft graphs library 2023-02-22 09:28:14 +00:00
Mathias Vorreiter Pedersen
ad8d9c5b91 Merge pull request #12269 from github/tausbn/ql-add-json-extraction
QL: Add JSON (+C/L) extraction
2023-02-21 16:42:19 +00:00
Arthur Baars
aac65b0df0 Merge pull request #12268 from aibaars/update-erb
Ruby: update tree-sitter-embedded-template
2023-02-21 14:31:30 +01:00
Taus
b5ebd1a0fd QL: Add JSON (+C/L) extraction 2023-02-21 12:59:30 +00:00
Arthur Baars
814bef021d Ruby: update tree-sitter-embedded-template 2023-02-21 13:49:33 +01:00
Geoffrey White
c462e010d1 Merge pull request #12266 from geoffw0/taintplusequals
Swift: Taint through arithmetic
2023-02-21 09:32:53 +00:00
Geoffrey White
9b117fefd7 Swift: Generalize the arithmetic we allow taint through. 2023-02-20 18:18:15 +00:00
Geoffrey White
a5bb336647 Merge pull request #12265 from geoffw0/taintunaryplus
Swift: Add unary +
2023-02-20 18:04:37 +00:00
Geoffrey White
87c0b6195f Swift: Add taint tests for various arithmetic operators. 2023-02-20 17:22:51 +00:00
Geoffrey White
3038543242 Swift: Add UnaryPlusExpr. 2023-02-20 17:15:20 +00:00
Calum Grant
779c2365fe Merge pull request #12091 from github/cg/shared-code-metrics
Script to generate shared code metrics
2023-02-20 16:58:30 +00:00
Geoffrey White
e19e28fbb9 Merge pull request #12263 from geoffw0/flowsourceinline
Swift: Convert the flow sources test to inline expectations.
2023-02-20 16:13:01 +00:00
Erik Krogh Kristensen
6894803b14 Merge pull request #12257 from erik-krogh/compile-stuff
CI: Fix CI use of the compilation cache
2023-02-20 16:46:09 +01:00
Geoffrey White
31967cc032 Swift: Add a couple of dataflow test cases for operators that behave as an identity function. 2023-02-20 15:42:07 +00:00
erik-krogh
389b7ceff5 support the new shared compilation cache directory 2023-02-20 15:34:03 +01:00
erik-krogh
f6fdf45359 remember to actually output the compilation dir 2023-02-20 15:32:50 +01:00
Geoffrey White
690b5debf4 Swift: Remove the old test. 2023-02-20 13:58:53 +00:00
Geoffrey White
dd7f54677b Swift: Add inline expectation tags. 2023-02-20 13:57:24 +00:00
Joe Farebrother
1fb27354b9 Merge pull request #12242 from joefarebrother/testgen-improvements
Java: Test generator fixes
2023-02-20 13:53:18 +00:00
Alex Ford
774030a8db Merge pull request #12083 from pwntester/ruby_twirp_support
[Ruby] Add support for Twirp framework
2023-02-20 13:16:52 +00:00
yoff
52dd1f451c Merge pull request #12260 from yoff/python/fix-precision-usafe-unpack
python: Lower precision as discussed
2023-02-20 13:38:50 +01:00
Geoffrey White
b66ed57e17 Swift: Fix a mistake in FlowSources.qll. 2023-02-20 11:11:46 +00:00
Rasmus Lerchedahl Petersen
9e97877938 python: lower precision as discussed 2023-02-20 12:06:19 +01:00
Geoffrey White
d9f2d348f4 Swift: Add an inline expectations test for flow sources. 2023-02-20 11:03:10 +00:00
Tom Hvitved
658cc33bb8 Merge pull request #12212 from hvitved/util/inline-expect-test-use-end-line
Util: Use end line instead of start line for actual results
2023-02-20 11:41:02 +01:00
Geoffrey White
6cec8ece3f Swift: Split off FlowConfig.qll. 2023-02-20 10:27:40 +00:00
Harry Maclean
9aea725f3d Merge pull request #12053 from hmac/actioncontroller-renderer-2
Ruby: Model ApplicationController.renderer
2023-02-20 22:28:30 +13:00
Mathias Vorreiter Pedersen
49be5fd19a Merge pull request #12250 from geoffw0/filemanagersource
Swift: Taint sources for FileManager
2023-02-20 09:12:11 +00:00
Tom Hvitved
879eff41ea Merge branch 'main' into util/inline-expect-test-use-end-line 2023-02-20 10:03:38 +01:00
Rasmus Wriedt Larsen
efc75e02cc Merge pull request #12168 from RasmusWL/crypto-stdlib-modeling
Python: Add modeling of `hmac`
2023-02-20 09:26:53 +01:00
Harry Maclean
4e07fd3eb1 Ruby: Model ApplicationController.renderer 2023-02-19 13:37:27 +13:00
Taus
89aec093c8 Merge pull request #12233 from github/tausbn/add-blame-extractor 2023-02-18 15:06:25 +01:00
erik-krogh
cd823d7495 add git info to the checkout 2023-02-18 13:43:24 +01:00
erik-krogh
52a9d5379b add buramu to the files cached for the extractor 2023-02-18 13:22:41 +01:00
erik-krogh
db9a0d1c52 make the deprecation query calculate based on months, and adjust the cutoff to 14 months 2023-02-18 12:39:16 +01:00
erik-krogh
6f8ae703ca add the deprecation file when running QL-for-QL 2023-02-18 12:31:14 +01:00
erik-krogh
1a308316c6 fix join-order of ql/outdated-deprecation 2023-02-18 12:28:06 +01:00
erik-krogh
fcff18aa3c add query header for OutdatedDeprecations 2023-02-18 12:22:34 +01:00
erik-krogh
4f97c0470b exclude java integration tests from QL-for-QL 2023-02-18 12:21:35 +01:00
Chris Smowton
655aa700bc Merge pull request #12247 from smowton/smowton/fix/integer-conversion-sign
Go integer conversion: check against sink, not source signedness
2023-02-18 08:55:52 +00:00
Jami
f72cb5f650 Merge pull request #12215 from jcogs33/jcogs33/move-awt-swing-from-isJdkInternal
Java: move java.awt and javax.swing from `isJdkInternal` to `isInfrequentlyUsed`
2023-02-17 15:48:39 -05:00
Geoffrey White
7a9bbb1414 Swift: Model FileManager sources. 2023-02-17 20:04:27 +00:00
Chris Smowton
c7da1c9e0d Use example that compiles on 32-bit arch 2023-02-17 19:35:04 +00:00
Chris Smowton
be468fe122 Change note 2023-02-17 19:21:15 +00:00
Chris Smowton
4e86edf4fe Add test case 2023-02-17 19:16:36 +00:00
Chris Smowton
4d1608aafa Go integer conversion: check against sink, not source signedness 2023-02-17 18:53:18 +00:00
Geoffrey White
5d125572ec Swift: Test for FileManager taint sources. 2023-02-17 18:14:16 +00:00
Nick Rolfe
cef6765890 Merge pull request #12221 from github/post-release-prep/codeql-cli-2.12.3
Post-release preparation for codeql-cli-2.12.3
2023-02-17 17:59:45 +00:00
Calum Grant
c72a5d5dc0 Merge pull request #12245 from github/calumgrant/codeowners-dynamic
Update CODEOWNERS for dynamic teams
2023-02-17 17:25:08 +00:00
Chris Smowton
7205f30803 Merge pull request #12223 from github/smowton/admin/announce-jdk-20-2
Java: Announce JDK20 support
2023-02-17 16:10:24 +00:00
Calum Grant
e400a1ad77 Update CODEOWNERS
As agreed in the retro, we'll make all dynamic team members responsible for PRs
2023-02-17 15:48:24 +00:00
Joe Farebrother
a9f1436930 Test generator fixes
- Revert previous change to constructor return values; as constructors are supposed to be modeled using Argument[-1] rather than ReturnValue
- Fix generation of ambiguous calls when one of the conflicting methods is overridden
2023-02-17 15:30:06 +00:00
Nick Rolfe
5929c99eb1 Merge branch 'main' into post-release-prep/codeql-cli-2.12.3 2023-02-17 15:02:17 +00:00
Arthur Baars
71c8bb20f9 Merge pull request #12238 from aibaars/query-format-q
CI: make 'codeql query format' less verbose
2023-02-17 15:58:19 +01:00
Nick Rolfe
3e5534f0ba Merge branch 'main' into post-release-prep/codeql-cli-2.12.3 2023-02-17 14:39:26 +00:00
Taus
9f4f7a76c9 QL: Add query for outdated deprecations 2023-02-17 14:27:15 +00:00
Calum Grant
2cfd6c5597 Update misc/scripts/shared-code-metrics.py
Co-authored-by: Anders Peter Fugmann <anders@fugmann.net>
2023-02-17 14:26:58 +00:00
Calum Grant
35a53fa990 Merge pull request #12183 from RasmusWL/example-update
Python: Update a few examples so queries work on them
2023-02-17 14:21:38 +00:00
Arthur Baars
94467e638e CI: make 'codeql query compile' less verbose 2023-02-17 15:20:31 +01:00
Tom Hvitved
59efcd593a Python: Update test expectations 2023-02-17 15:20:21 +01:00
Tom Hvitved
0bceefc930 Java: Update test expectations 2023-02-17 15:20:21 +01:00
Arthur Baars
87cb3fd59f Update .github/workflows/compile-queries.yml
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
2023-02-17 14:58:19 +01:00
Arthur Baars
c167919ff6 CI: make 'codeql query format' less verbose 2023-02-17 14:53:40 +01:00
Taus
db748fae6b QL: Integrate blame parser into extractor 2023-02-17 13:22:18 +00:00
Taus
59c1cfb43a QL: Add grammar for parsing blame files 2023-02-17 13:21:44 +00:00
Taus
0e0ec89e60 QL: Add tool for extracting blame info
I had some trouble getting this to work with version 1.54 of the Rust
toolchain, so I had to bump it up to 1.59.
2023-02-17 13:20:06 +00:00
Chris Smowton
d3e73891b5 Merge pull request #12229 from smowton/smowton/fix/gradle-wrapper-for-java-tests
Java: Add Gradle wrappers for Kotlin tests
2023-02-17 12:37:25 +00:00
Tom Hvitved
37fc8f5039 Swift: Update test expectations 2023-02-17 13:24:28 +01:00
Tom Hvitved
18c6b68232 Go: Update test expectations 2023-02-17 13:22:29 +01:00
Tom Hvitved
e9bce9f8cd Ruby: Update test expectations 2023-02-17 13:22:28 +01:00
Tom Hvitved
85e4707e0c Util: Use end line instead of start line for actual results 2023-02-17 13:22:28 +01:00
Geoffrey White
4356d359a6 Merge pull request #12226 from geoffw0/stringfix
Swift: Fix minor mistakes in the String models.
2023-02-17 10:23:56 +00:00
Chris Smowton
d1cd4cd099 Add Gradle wrappers for Kotlin tests
This avoids tests' behaviour changing due to environmental Gradle version changes
2023-02-17 10:10:22 +00:00
Rasmus Wriedt Larsen
39e7bba563 Merge pull request #12203 from RasmusWL/import-resolution-phi
Python: Handle if-then-else definitions in import resolution
2023-02-17 10:10:42 +01:00
yoff
2f8dddabb6 Merge pull request #11570 from Sim4n6/UnsafeUnpack
Python: Unsafe unpacking using `shutil.unpack_archive()` query and tests
2023-02-17 09:48:05 +01:00
Michael Nebel
2f6ffdd88f Merge pull request #12207 from michaelnebel/csharp/requiredmembers
C# 11: Required fields and properties.
2023-02-17 09:29:46 +01:00
Chris Smowton
6fc5bdd871 Announce JDK20 support 2023-02-17 08:15:33 +00:00
Michael Nebel
b87de911ba C#: Add change note. 2023-02-17 08:40:39 +01:00
Michael Nebel
3971dedcf6 C#: Add testcase for required members. 2023-02-17 08:40:39 +01:00
Michael Nebel
c0b8e852c5 C#: Add library support for required members. 2023-02-17 08:40:39 +01:00
Michael Nebel
2d46dd2936 C#: Add extractor support for the required modifier for fields and properties. 2023-02-17 08:40:39 +01:00
Michael Nebel
ff9e738d38 Merge pull request #12167 from michaelnebel/csharp/deprecategetassemblyname
C#: Checked operator support.
2023-02-17 08:39:32 +01:00
Geoffrey White
a894fc6ce8 Swift: Fix mistakes in String.qll models. 2023-02-16 18:24:36 +00:00
Geoffrey White
f64cb2983a Swift: Add tests for a few models we didn't cover. 2023-02-16 18:15:17 +00:00
github-actions[bot]
8eb8daa4d4 Post-release preparation for codeql-cli-2.12.3 2023-02-16 17:23:25 +00:00
Paolo Tranquilli
300db4f236 Merge pull request #12214 from github/redsun82/swift-codegen
Swift: fix weird module naming in codegen
2023-02-16 17:24:03 +01:00
Geoffrey White
cb11524dde Merge pull request #12154 from geoffw0/pathinjectionext
Swift: More path injection sinks
2023-02-16 16:00:31 +00:00
Erik Krogh Kristensen
2b529fbf53 Merge pull request #12213 from github/erik-krogh/patch-test
CI: inline the move-caches script into the action
2023-02-16 16:00:13 +01:00
Michael B. Gale
35b60167e1 Merge pull request #12153 from github/mbg/fix/msbuild-on-macos-arm
C#: Improve C# autobuilder compatibility with Arm-based Macs
2023-02-16 14:12:43 +00:00
Jami Cogswell
94fd412809 Java: move awt and swing to isInfrequentlyUsed predicate 2023-02-16 09:02:41 -05:00
erik-krogh
767da59397 remove the paths requirement from running QL-for-QL 2023-02-16 14:57:00 +01:00
Paolo Tranquilli
f50382ba70 Swift: fix weird module naming in codegen 2023-02-16 14:53:31 +01:00
erik-krogh
45d00ae9dd inline the move-caches script into the action 2023-02-16 14:52:46 +01:00
Nick Rolfe
44dc5a1f0b Merge pull request #12209 from github/release-prep/2.12.3
Release preparation for version 2.12.3
2023-02-16 13:25:19 +00:00
Paolo Tranquilli
7cfe15c304 Merge pull request #12205 from github/redsun82/swift-codegen
Swift: fix subtle `codegen` bug on missing files
2023-02-16 13:45:35 +01:00
Rasmus Wriedt Larsen
9ed021ad66 Python: Accept change to WeakFilePermissions.expected
💪
2023-02-16 13:27:16 +01:00
Nick Rolfe
b4d59ff932 Go: changenote grammar tweaks 2023-02-16 12:07:47 +00:00
github-actions[bot]
b0315119c6 Release preparation for version 2.12.3 2023-02-16 11:49:06 +00:00
Joe Farebrother
430b432add Merge pull request #12195 from joefarebrother/testgen-improvements
Java: Test generator improvements
2023-02-16 11:20:55 +00:00
Michael B. Gale
eab3c6dd5e Fix missing implementations for C++ tests 2023-02-16 11:07:38 +00:00
Michael B. Gale
e28be5d98f Make msbuild work on Arm-based Macs 2023-02-16 11:07:38 +00:00
Michael B. Gale
75c75ea49c Correctly select dotnet platform on arm-based macs 2023-02-16 11:07:37 +00:00
Paolo Tranquilli
3ec2a3c711 Swift: fix subtle codegen bug on missing files
While the internal registry was being cleaned up from files removed by
codegen itself, it was not dropping files removed outside of codegen.

Because of this files removed by the user were not being regenerated
again if no change was staged to them, unless `--force` was provided.

This also fixes some such "ghost" entries in the registry and some
missing generated files.
2023-02-16 11:46:51 +01:00
Paolo Tranquilli
3b1b3b46ae Merge pull request #12202 from github/redsun82/swift-codegen
> Out of curiosity: What is the end goal that we're trying to get to with this?

Up until now we would be writing that predicate by hand, see [this example](29c8260004/swift/ql/lib/codeql/swift/elements/expr/MethodLookupExpr.qll (L29-L30)). Now this will be given to us from the get go.

For me this was prompted to give a nicer live demo later at my presentation 🙂
2023-02-16 11:35:05 +01:00
Michael B. Gale
29c8260004 Merge pull request #12196 from github/mbg/csharp/add-msbuild-integration-tests 2023-02-16 10:29:28 +00:00
Rasmus Wriedt Larsen
766e6c400e Python: Handle if-then-else definitions in import resolution 2023-02-16 11:18:30 +01:00
Rasmus Wriedt Larsen
80f5342a6d Python: Add import regression for if-then-else definitions 2023-02-16 11:12:08 +01:00
Tony Torralba
87b54e674e Merge pull request #12178 from felickz/main
Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource  to CWE-798
2023-02-16 11:03:34 +01:00
Michael B. Gale
9db1366e4b Change target framework to 4.0 for mono 2023-02-16 09:55:58 +00:00
Michael B. Gale
f1adb4319a Add C# integration test which uses MSBuild 2023-02-16 09:55:57 +00:00
Paolo Tranquilli
e2d7a6910c Swift: generate raw helpers in synthesized stubs
This will add helpers to get the underlying raw entities or constructor
arguments on stubs for synthesized classes.

For example a schema like:

```
@synth.from_class(A)
class B:
    pass

@synth.on_arguments(base=A, index=int)
class C:
    pass
```

will generate

```
cached
private Raw::A getUnderlyingEntity() { this = Synth::TB(result) }
```
in the `B.qll` stub and
```
cached
private Raw::A getUnderlyingBase() { this = Synth::TC(result, _) }

cached
private int getUnderlyingIndex() { this = Synth::TC(_, result) }
```
in the `C.qll` stub.

As stubs these can be freely changed later on.
2023-02-16 10:49:21 +01:00
Chris Smowton
180246b99c Merge pull request #12197 from smowton/smowton/admin/go-120-features
Go: complete Go 1.20 support
2023-02-16 08:12:02 +00:00
Chad Bentz
f3124d3239 Merge branch 'main' into main 2023-02-15 18:46:15 -05:00
Chad Bentz
2f1bd93a49 change-notes for this minorAnalysis lib change 2023-02-15 18:40:40 -05:00
Chad Bentz
2f576a4fe9 test both arguments of getConnection
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
2023-02-15 18:26:56 -05:00
Owen Mansel-Chan
45c1537f06 Merge pull request #12198 from github/smowton/admin/update-change-note
Update Twirp change note to new style
2023-02-15 21:54:48 +00:00
Rasmus Wriedt Larsen
ee5382d8a6 Merge pull request #12193 from RasmusWL/import-resolution-fixup
Python: Fix `from <pkg> import *` import resolution
2023-02-15 20:13:24 +01:00
Chris Smowton
3ce7fafb67 Fix unsafe test routine name 2023-02-15 19:05:01 +00:00
Chris Smowton
14655e1d8c Autoformat go 2023-02-15 18:41:14 +00:00
Chris Smowton
261a1348f0 Update Twirp change note to new style 2023-02-15 18:37:50 +00:00
Chris Smowton
c65fd69374 Add change note 2023-02-15 18:35:17 +00:00
Chris Smowton
233bd8ce8c Claim Go 1.20 support 2023-02-15 18:31:28 +00:00
Chris Smowton
7e7850374e Implement standard library models for Go 1.20 2023-02-15 18:29:49 +00:00
Joe Farebrother
d9e5c6c48a Fix typo 2023-02-15 17:21:03 +00:00
Alex Ford
74782bf6a2 Merge branch 'main' into ruby_twirp_support 2023-02-15 17:15:08 +00:00
Chris Smowton
7d2b78b463 Note that all interface types are considered comparable as of Go 1.20 2023-02-15 17:15:00 +00:00
Alex Ford
801ed1ce7c Ruby: add Twirp.expected 2023-02-15 17:05:33 +00:00
Joe Farebrother
95a131d0d3 Update help text 2023-02-15 16:18:47 +00:00
Joe Farebrother
8ee36a5278 Test generator improvements
- Accept yml files as input
- Output the correct type for constructors
2023-02-15 16:11:22 +00:00
Rasmus Wriedt Larsen
c72dbc49fc Merge pull request #12165 from RasmusWL/crypto-updates
Python/Ruby/JS Crypto: Add a few algorithms + block modes
2023-02-15 14:35:40 +01:00
Rasmus Wriedt Larsen
7e16fa9cbe Python: Add change-note 2023-02-15 14:25:33 +01:00
Rasmus Wriedt Larsen
220f227707 Python: Add wrapper for isPreferredModuleForName
We talked about how it's annoying that we in 4 places have the same fix
`isPreferredModuleForName(<module>.getFile(), <name> + ["", ".__init__"])`
, and that it would be nice to have a simple wrapper predicate that
ensures we never forget to do the `+ ["", ".__init__"]` dance...

I had trouble coming up with a name for this (ironically), but
I think `getModuleFromName` is good enough.
2023-02-15 14:23:39 +01:00
Rasmus Wriedt Larsen
66c3529465 Python: Fix import * from __init__.py files 2023-02-15 14:10:37 +01:00
Rasmus Wriedt Larsen
df6039d6cf Python: Add import resolution regression 2023-02-15 13:50:27 +01:00
Rasmus Wriedt Larsen
e1ae3c3cfb Python: sys.exit if import resolution tests fail 2023-02-15 13:44:45 +01:00
Chris Smowton
368ca6cb30 Add test exercising Go 1.20 array conversions 2023-02-15 12:31:09 +00:00
Chris Smowton
2cd1e09a7e Merge pull request #12111 from smowton/smowton/feature/java-merge-classes-and-interfaces
Java: merge the @class and @interface database types and tables
2023-02-15 10:27:41 +00:00
Chris Smowton
5f0b1973ee Merge pull request #12188 from smowton/smowton/feature/go-1.20-support
Go: Upgrade extractor compiler and dependency versions
2023-02-15 10:06:01 +00:00
Paolo Tranquilli
4be2e431ea Merge pull request #12180 from github/redsun82/swift-codegen
Swift: some restructuring of codegen
2023-02-15 10:15:20 +01:00
Anders Schack-Mulligen
b52df0de0c Merge pull request #12191 from github/workflow/coverage/update
Update CSV framework coverage reports
2023-02-15 09:07:40 +01:00
Harry Maclean
fb14920281 Merge pull request #12056 from hmac/test-refactor 2023-02-15 17:34:25 +13:00
github-actions[bot]
5f07d1f385 Add changed framework coverage reports 2023-02-15 00:17:48 +00:00
Chris Smowton
194316d1c0 Accept test changes
Some diagnostics have been reworded for Go 1.20, and a standard library type parameter is visible to the TypeParamType test.
2023-02-14 18:33:53 +00:00
Chris Smowton
d075e016b2 Upgrade Go to 1.20 2023-02-14 17:59:18 +00:00
Chris Smowton
9e584eb241 Upgrade Go extractor compiler and dependency versions 2023-02-14 17:34:47 +00:00
Chris Smowton
62d10f91d8 Improve join ordering 2023-02-14 17:21:24 +00:00
Chris Smowton
d5f7ef08b7 Update stats 2023-02-14 17:21:24 +00:00
Chris Smowton
7f76d8ae55 Replace redundant use of Class or Interface 2023-02-14 17:21:24 +00:00
Chris Smowton
82a2f4349a Resolve a newly-introduced ambiguity
Also fix a simple redundancy noticed while debugging
2023-02-14 17:21:24 +00:00
Chris Smowton
f48d87ba55 Add deletions for removed tables 2023-02-14 17:21:24 +00:00
Chris Smowton
3514dd1e4d Java: merge the @class and @interface database types and tables
This will allow the extractor to emit class(id, ...) when all it knows about a class is its name, due to not having it available on the classpath. Previously it would have had to guess whether it belonged to @class or @interface, possibly introducing an inconsistency.
2023-02-14 17:21:23 +00:00
Jami
029e1d47fe Merge pull request #12081 from jcogs33/jcogs33/update-some-Files-sinks
Java: update `createTempDirectory` and `copy` "create-file" sinks
2023-02-14 10:53:17 -05:00
Taus
e40bb6ac87 Merge pull request #12029 from github/tausbn/python-clean-up-version-handling
Python: Clean up version handling
2023-02-14 16:40:09 +01:00
Taus
1b30043422 Python: Move change note to correct directory 2023-02-14 13:48:55 +00:00
Alvaro Muñoz
4644a88b89 address code review comments 2023-02-14 14:27:17 +01:00
Taus
4f7c598ffc Python: Add change note 2023-02-14 13:22:48 +00:00
Erik Krogh Kristensen
2f8c9a5a2c Merge pull request #12171 from erik-krogh/reg-dot
JS: dont recognize regexps that match dot as sanitizers
2023-02-14 14:10:44 +01:00
Erik Krogh Kristensen
e3e2df3247 Merge pull request #12166 from erik-krogh/more-html-san
JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss
2023-02-14 14:09:56 +01:00
Taus
39516862c1 Merge remote-tracking branch 'origin/main' into tausbn/python-clean-up-version-handling 2023-02-14 13:07:40 +00:00
Erik Krogh Kristensen
028fcc7edf Merge pull request #11959 from erik-krogh/ssrfSan
JS: add encodeURIComponent as a sanitizer for request-forgery
2023-02-14 13:39:53 +01:00
Erik Krogh Kristensen
a498936f16 Merge pull request #12170 from erik-krogh/more-lib
JS: More library inputs
2023-02-14 13:38:00 +01:00
Erik Krogh Kristensen
bca3fa94fd Merge pull request #12159 from erik-krogh/express-ws
JS: add express-ws as a source
2023-02-14 13:36:33 +01:00
Michael Nebel
469b289db9 C#: Add change note. 2023-02-14 13:14:45 +01:00
Michael Nebel
b3c234d020 C#: Add testcases for checked operators. 2023-02-14 12:59:36 +01:00
Michael Nebel
238a70fc55 C#: Add library support for checked operators. 2023-02-14 12:58:15 +01:00
Michael Nebel
b7123aaa89 C#: Add viable callable testcases for regular and checked operators. 2023-02-14 12:57:59 +01:00
Rasmus Wriedt Larsen
dc5bb4fb77 Python: Update a few examples so queries work on them
Fixes problem highlighted in https://github.com/github/codeql/issues/12156
2023-02-14 11:54:18 +01:00
Joe Farebrother
f68083872d Merge pull request #12174 from joefarebrother/stubgen-name-conflicts
Java: Stub generator: Use fully qualified names to avoid conflicts
2023-02-14 10:10:24 +00:00
Paolo Tranquilli
81de500301 Swift: fix import not working in all python versions 2023-02-14 10:40:05 +01:00
Anders Schack-Mulligen
0600a2ba96 Merge pull request #12138 from aschackmull/java/gen-file-mark-perf
Java: Improve performance of GeneratedFileMarker.
2023-02-14 09:57:09 +01:00
Tony Torralba
935e22d10d Merge pull request #12139 from atorralba/atorralba/java/xxe-local-query
Java: Add local version of the XXE query
2023-02-14 09:54:36 +01:00
Paolo Tranquilli
8e079320f3 Swift: some restructuring of codegen
Loading of the schema and dbscheme has been moved to a separate
`loaders` package for better separation of concerns.
2023-02-14 09:53:02 +01:00
Michael Nebel
781aab3eb7 Merge pull request #11634 from michaelnebel/java/excludeinterfacemembers
Java: Exclude interface members from model generation.
2023-02-14 09:35:56 +01:00
Chad Bentz
b0c8992eef Adding CWE-798 MSSQL Tests 2023-02-13 19:44:02 -05:00
Chad Bentz
cfe169a4f9 Adding MSSQL to SensitiveAPI 2023-02-13 19:42:28 -05:00
erik-krogh
4140598769 update expected output for experimental query 2023-02-14 00:08:13 +01:00
erik-krogh
c17d057520 default to index.js when no main: is specified in package.json, and recognize more classes as library inputs 2023-02-13 21:24:41 +01:00
Joe Farebrother
0b722bfe30 Stub generator: Use fully qualified names to avoid conflicts 2023-02-13 17:09:32 +00:00
erik-krogh
68656274f4 dont recognize regexps that match dot as sanitizers 2023-02-13 17:36:51 +01:00
Jami Cogswell
e4c8387815 Java: update CaptureSinkModels.expected with read-file sink 2023-02-13 11:29:30 -05:00
Tony Torralba
1c57aa0456 Fix import locations 2023-02-13 17:13:01 +01:00
Tom Hvitved
8372ad9d84 Merge pull request #12169 from hvitved/util/numbers
Move `NumberUtils.qll` from Ruby into shared `util` pack
2023-02-13 16:37:51 +01:00
Tom Hvitved
2113c3c3d9 Ruby: Remove NumberUtils.qll 2023-02-13 15:59:50 +01:00
Tom Hvitved
29ce9bfe24 Util: Make some predicates private 2023-02-13 15:58:31 +01:00
Tom Hvitved
97f79602a9 Copy NumberUtils.qll from Ruby into shared util pack 2023-02-13 15:57:53 +01:00
Rasmus Wriedt Larsen
1c7fe97427 Python: Add modeling of hmac 2023-02-13 15:39:43 +01:00
Rasmus Wriedt Larsen
df22181963 Python: Add tests of hmac 2023-02-13 15:38:14 +01:00
erik-krogh
6192544fb4 add test for express-ws as a source 2023-02-13 15:26:50 +01:00
Jami Cogswell
1c3d4b98c8 Java: move change note 2023-02-13 09:15:31 -05:00
Jami Cogswell
191613e8bf Java: update change note 2023-02-13 09:11:53 -05:00
Owen Mansel-Chan
4fa484dad2 Merge pull request #12130 from owen-mc/go/port-integration-tests
Go: port integration tests
2023-02-13 13:49:59 +00:00
Rasmus Wriedt Larsen
39e50f745d Ruby: Fix .expected for CryptoAlgorithms 2023-02-13 14:21:12 +01:00
Michael Nebel
b3602a5b7f C#: Use functionname as stored in the database. 2023-02-13 13:53:46 +01:00
Kasper Svendsen
c66a44f2e2 Merge pull request #12162 from kaspersv/kaspersv/inline-late-docs
QLDocs: Document inline_late pragma
2023-02-13 13:35:28 +01:00
Anders Schack-Mulligen
e877b161d8 Merge pull request #12124 from hvitved/dataflow/stage1-dispatch
Data flow: Call context virtual dispatch pruning in stage 1
2023-02-13 13:13:43 +01:00
Owen Mansel-Chan
7ebe472cfe Move repo files into subfolder
This is so that the test-db doesn't get moved when all the repo files
are moved, which was causing some problems.
2023-02-13 11:59:38 +00:00
Owen Mansel-Chan
37d3793e87 Set LGTM_INDEX_IMPORT_PATH in two tests
This is needed for Dep and Glide
2023-02-13 11:59:38 +00:00
Owen Mansel-Chan
1f1e2dbf98 Make dep integration test linux-only
This is because there is no release of Dep for
MacOS (Arm).
2023-02-13 11:59:38 +00:00
Owen Mansel-Chan
3ee3acd8fd Make Glide integration test linux-only
This is because it is hard to install Glide on the other platforms.
2023-02-13 11:59:37 +00:00
Owen Mansel-Chan
e635140eae Add files needed for tests 2023-02-13 11:59:37 +00:00
Owen Mansel-Chan
f2c541a461 Delete build-sample test
This is adequately tested elsewhere.
2023-02-13 11:59:37 +00:00
Owen Mansel-Chan
f062a8d204 Copy LGTM integration tests over 2023-02-13 11:59:36 +00:00
Owen Mansel-Chan
947a9f12a1 Make DiagnosticsReporting.qll a library 2023-02-13 11:59:36 +00:00
Kasper Svendsen
11204987f1 Reword based on review comments 2023-02-13 12:49:50 +01:00
Michael Nebel
34c6b24882 Merge pull request #12147 from michaelnebel/csharp/relaxedshift
C# 11: Test of relaxed shift operator requirements.
2023-02-13 12:48:39 +01:00
Arthur Baars
457a2bb2a2 Merge pull request #12093 from aibaars/oneline-match
Ruby: add support for one-line pattern matches
2023-02-13 12:38:28 +01:00
Kasper Svendsen
ac54caac35 Update docs/codeql/ql-language-reference/annotations.rst
Co-authored-by: Philip Ginsbach <ginsbach@github.com>
2023-02-13 12:35:08 +01:00
Kasper Svendsen
426425a7ca Update docs/codeql/ql-language-reference/annotations.rst
Co-authored-by: Philip Ginsbach <ginsbach@github.com>
2023-02-13 12:34:50 +01:00
Chris Smowton
0537579b28 Merge pull request #12131 from owen-mc/go/named-type-location
Add `hasLocationInfo` for `Type`s
2023-02-13 11:33:50 +00:00
Erik Krogh Kristensen
2f404df17c Merge pull request #10782 from erik-krogh/rbPoly
Ruby: add library input as a source for `rb/polynomial-redos`
2023-02-13 12:26:07 +01:00
erik-krogh
b85bfc8ba6 add HtmlSanitizer as a sanitizer for DOMBasedXss 2023-02-13 11:57:29 +01:00
erik-krogh
c258e44772 add failing test for spurious edge through sanitizer 2023-02-13 11:49:57 +01:00
Erik Krogh Kristensen
26d5fb2412 Merge pull request #11824 from erik-krogh/secondMissAnchor
RB: add query detecting validators that use badly anchored regular expressions on library/remote input
2023-02-13 11:26:05 +01:00
Kasper Svendsen
74472d786c QLDocs: Document inline_late pragma 2023-02-13 10:51:48 +01:00
erik-krogh
634087b417 Merge branch 'main' into rbPoly 2023-02-13 10:46:00 +01:00
Michael Nebel
2ce6d5f920 Java: Update negative models test to not produce a negative summary for interface member. 2023-02-13 10:45:54 +01:00
Rasmus Wriedt Larsen
5235964b07 sync files 2023-02-13 10:44:12 +01:00
Rasmus Wriedt Larsen
b2e79e2948 Python/Ruby/JS Crypto: Add a few algorithms + block modes
I have tried to add a few links to support the claim that these
algorithms are strong/safe. It wasn't always super easy, so in some
cases I have ended up just linking to the documentation of the
`cryptography` Python package.

Co-authored-by: REDMOND\brodes <brodes@microsoft.com>
2023-02-13 10:40:47 +01:00
Paolo Tranquilli
f07c598a22 Merge pull request #12164 from github/redsun82/swift-codegen-outside-bazel
Swift: make `codegen` run also outside `bazel`
2023-02-13 10:32:20 +01:00
Michael Nebel
80628596dd Java: Exclude interface members from model generation. 2023-02-13 10:21:32 +01:00
Geoffrey White
124e4ddd4f Merge pull request #12150 from geoffw0/cfg2
Swift: control flow for #available
2023-02-13 09:17:06 +00:00
Tom Hvitved
0b8173e2e7 Ruby: Add another data flow test 2023-02-13 09:50:50 +01:00
Paolo Tranquilli
55aacd6fe9 Merge pull request #12137 from github/redsun82/swift-doc-for-schema-doc
Swift: add documentation for generated documentation
2023-02-13 09:43:34 +01:00
Paolo Tranquilli
483a87abe9 Swift: make codegen run also outside bazel 2023-02-13 09:39:31 +01:00
Tony Torralba
4fad01a739 Further refactoring
Avoid having two taint tracking configurations in the same file
2023-02-13 09:18:05 +01:00
Tony Torralba
f3e0b6e62c PathGraph shouldn't be imported in a QLL library 2023-02-13 09:18:05 +01:00
Tony Torralba
422eb0d1bb Add change note 2023-02-13 09:18:05 +01:00
Tony Torralba
5555b5cd19 Add local version of the XXE query 2023-02-13 09:18:05 +01:00
Paolo Tranquilli
542c9218de Merge branch 'main' into redsun82/swift-doc-for-schema-doc 2023-02-13 09:07:02 +01:00
Tom Hvitved
f7a5a33474 Address review comment 2023-02-13 09:01:15 +01:00
erik-krogh
91393a7bc8 add change-note 2023-02-12 23:28:01 +01:00
erik-krogh
6474cfd4c8 add support for express-ws 2023-02-12 23:25:27 +01:00
Jami Cogswell
ad8849c6b8 Java: fix typo 2023-02-12 16:33:26 -05:00
Jami Cogswell
676e4e8461 Java: add change note 2023-02-12 16:32:31 -05:00
Sim4n6
d7af80136e Fail tests when missing annotation on sink orfail 2023-02-12 21:27:20 +01:00
Sim4n6
518684b736 Put back the annotation result=BAD 2023-02-12 21:26:12 +01:00
Sim4n6
80d4fb5e33 Organisation TarSlip/UnsafeUnpack into two folders 2023-02-12 10:51:53 +01:00
Jami Cogswell
ce1c814daa Java: update path-injection query to use new 'read-file' sink kind 2023-02-11 17:10:58 -05:00
Jami Cogswell
c87c3e30c7 Java: update getInvalidModelKind with 'read-file' kind 2023-02-11 17:07:25 -05:00
Owen Mansel-Chan
685b8b4abd Tests are no longer fooled by type aliases 2023-02-10 22:09:21 +00:00
Owen Mansel-Chan
7042f67375 Refactor code to be simpler 2023-02-10 22:09:20 +00:00
Owen Mansel-Chan
778826b528 Accept test changes
Note that
go/ql/test/library-tests/semmle/go/Types/QualifiedNames.expected and
go/ql/test/library-tests/semmle/go/Types/Types.expected gain two lines.
In both cases this is because GenericArray and GenericSignature are
each instantiated twice, so they appear with two different locations.
2023-02-10 22:09:20 +00:00
Owen Mansel-Chan
202c0be303 Add hasLocationInfo for Types
It returns a dummy location except for named types with a type
declaration in the source.
2023-02-10 22:09:20 +00:00
Sim4n6
eed19a3e15 Fix autoformatting issues 2023-02-10 21:58:29 +01:00
Geoffrey White
ad85b37585 Swift: Tidy up indenting. 2023-02-10 18:06:56 +00:00
Geoffrey White
d0efbbf5b8 Swift: More path injection models. 2023-02-10 18:02:50 +00:00
Geoffrey White
82f09b8511 Swift: More path injection test cases. 2023-02-10 17:55:06 +00:00
Arthur Baars
679f02c274 Address comments 2023-02-10 18:08:30 +01:00
Geoffrey White
8624098318 Swift: sync identical files. 2023-02-10 15:24:57 +00:00
Nora
d55e9d5dac Merge pull request #12000 from github/nora/update-query-history-actions
Rename Query History Actions
2023-02-10 16:18:36 +01:00
Geoffrey White
eda331ebc2 Swift: Clean up. 2023-02-10 15:11:31 +00:00
Geoffrey White
11f022c69f Swift: Add some more qldoc. 2023-02-10 15:02:05 +00:00
Geoffrey White
15b8aa1979 Swift: Effect on other tests :) 2023-02-10 14:16:48 +00:00
Geoffrey White
6cb9198ee2 Swift: Control flow through #available. 2023-02-10 13:32:33 +00:00
Paolo Tranquilli
9d433eb420 Merge branch 'main' into redsun82/swift-doc-for-schema-doc 2023-02-10 14:27:56 +01:00
Michael Nebel
db41463d72 C#: Test of relaxed shift operator requirements. 2023-02-10 10:33:20 +01:00
Geoffrey White
38f4f65fc0 Swift: Add CFG test cases for #available. 2023-02-10 09:29:08 +00:00
Michael Nebel
1bd223b8c8 Merge pull request #12103 from michaelnebel/csharp/scopedmodfier
C# 11: Scoped parameters and local variables.
2023-02-10 10:04:09 +01:00
Paolo Tranquilli
fc7c72db77 Swift: tweaks to the schema doc documentation 2023-02-10 08:58:07 +01:00
Paolo Tranquilli
adf47b9a9c Merge branch 'main' into redsun82/swift-doc-for-schema-doc 2023-02-10 08:49:31 +01:00
Paolo Tranquilli
c92fd97783 Merge pull request #12140 from github/redsun82/swift-fix-upgrade
Swift: remove query predicates in upgrade/downgrade scripts
2023-02-10 08:49:08 +01:00
Geoffrey White
224bc9381a Swift: Fix ConditionElement.toString(). 2023-02-09 21:15:36 +00:00
Michael Nebel
8d8ebeade1 Merge pull request #12067 from michaelnebel/csharp/reflectionload
C#: Delete dead assembly load code.
2023-02-09 18:49:36 +01:00
Paolo Tranquilli
7fa85b34ea Swift: remove query predicates in upgrade/downgrade scripts 2023-02-09 17:24:27 +01:00
Sim4n6
09df055d86 Fix the exists cast warning 2023-02-09 15:25:54 +01:00
Sim4n6
b04d5684fb add a blank line at the end of the file 2023-02-09 15:23:58 +01:00
Anders Schack-Mulligen
770f3c24bb Java: Improve performance of GeneratedFileMarker. 2023-02-09 15:08:32 +01:00
Sim4n6
16ef50401b Update python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
Co-authored-by: yoff <lerchedahl@gmail.com>
2023-02-09 14:59:28 +01:00
Ian Lynagh
968f588893 Merge pull request #12090 from igfoo/igfoo/kotlin-1.8.10
Kotlin: 1.8.10 and 1.8.20 are supported, and use 1.8.10 for CI
2023-02-09 12:06:42 +00:00
Paolo Tranquilli
1e279125dc Swift: add documentation for generated documentation 2023-02-09 12:52:16 +01:00
Michael Nebel
0f469ee0f7 C#: Add stats for the scoped annotation relation. 2023-02-09 12:28:15 +01:00
Arthur Baars
07947e6528 Address comments 2023-02-09 12:02:14 +01:00
dependabot[bot]
80a397b4a5 Merge pull request #12134 from github/dependabot/cargo/ruby/serde_json-1.0.93 2023-02-09 10:50:27 +00:00
Michael Nebel
d4985a99e0 C#: Add change note. 2023-02-09 11:32:09 +01:00
Michael Nebel
59ab353827 C#: Add upgrade and downgrade scripts. 2023-02-09 11:32:09 +01:00
Michael Nebel
54b45134ef C#: Add example code including tests. 2023-02-09 11:32:09 +01:00
Michael Nebel
c00b089aa8 C#: Introduce library support for scoped. 2023-02-09 11:32:08 +01:00
Michael Nebel
955f23d021 C#: Introduce extractor support for scoped variables and parameters. 2023-02-09 11:32:08 +01:00
Michael Nebel
dd6ceb7053 C#: Extend the DB schema with a scoped annotation relation. 2023-02-09 11:32:08 +01:00
Michael Nebel
7e174dce8b C#: Re-factor. Introduce variablekind enum. 2023-02-09 11:32:08 +01:00
Michael Nebel
89bebe9d36 C#: Re-factor local variable populate. 2023-02-09 11:32:08 +01:00
Michael B. Gale
ad4ae1c331 Merge pull request #12132 from github/mbg/fix/log-injection-precision
Go: Downgrade `go/log-injection` precision to medium
2023-02-09 10:29:24 +00:00
Michael B. Gale
70a6ff84af Add change note 2023-02-09 09:56:36 +00:00
Geoffrey White
0f6b05dedf Merge pull request #12126 from geoffw0/append
Swift: Move some models into collections
2023-02-09 09:33:08 +00:00
Michael Nebel
b895065be9 Merge pull request #12058 from michaelnebel/csharp/structdefaults
C# 11: Check that we get AST for structs that doesn't initialise all fields.
2023-02-09 09:51:00 +01:00
Anders Schack-Mulligen
3e2bf23bfe Merge pull request #12118 from michaelnebel/telemetry/performancefix
C#/Java: Materialize sink/source/summary predicates to avoid bad join order.
2023-02-09 09:39:38 +01:00
dependabot[bot]
bd98ae0dcc build(deps): bump serde_json from 1.0.91 to 1.0.93 in /ruby
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.91 to 1.0.93.
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.91...v1.0.93)

---
updated-dependencies:
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-09 08:13:18 +00:00
Erik Krogh Kristensen
f2904ca29b Merge pull request #12135 from github/dependabot/cargo/ql/serde_json-1.0.93
build(deps): bump serde_json from 1.0.92 to 1.0.93 in /ql
2023-02-09 09:08:45 +01:00
dependabot[bot]
5e2f9e1568 build(deps): bump serde_json from 1.0.92 to 1.0.93 in /ql
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.92 to 1.0.93.
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.92...v1.0.93)

---
updated-dependencies:
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-09 03:09:08 +00:00
Chris Smowton
f113eaa77d Merge pull request #12059 from pwntester/go_twirp_support
[GoLang] Add support for Twirp framework
2023-02-08 21:55:56 +00:00
Sim4n6
4196230a8a use if-then-else rather than nested exists 2023-02-08 21:46:50 +01:00
Sim4n6
9e285020a1 Comment modif + remove redundant cast 2023-02-08 21:14:53 +01:00
Michael B. Gale
46d49cd66f Downgrade log injection precision to medium
This is in line with the precision of this query for other languages
2023-02-08 15:49:06 +00:00
Michael Nebel
f6a02310d3 C#: Fix bad join order in TestLibrary characteristic predicate. 2023-02-08 16:37:49 +01:00
Owen Mansel-Chan
18335854b6 Update go/ql/lib/semmle/go/frameworks/Twirp.qll
Co-authored-by: Michael B. Gale <mbg@github.com>
2023-02-08 15:33:35 +00:00
Erik Krogh Kristensen
3ebac65167 apply change-note suggestions from doc review
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
2023-02-08 14:55:54 +01:00
Robert
13c7c8449c Merge pull request #12123 from github/robertbrignull/telemetry_privacy_docs
Update telemetry privacy document for UI interaction and exceptions
2023-02-08 13:40:35 +00:00
Arthur Baars
78ad9d67b4 Address comments 2023-02-08 13:40:46 +01:00
Ian Lynagh
844e372651 Kotlin: Add a changenote for 1.8.20 support 2023-02-08 11:35:23 +00:00
Ian Lynagh
069c9674d1 Kotlin: Update supported versions 2023-02-08 11:35:23 +00:00
Ian Lynagh
6255298876 Kotlin: Use 1.8.10 for CI
I don't think there's any need for the CI version to be one of the
versions we build extractors for, so I've removed that check.
2023-02-08 11:35:23 +00:00
Chris Smowton
99bed0b089 Merge pull request #12127 from smowton/smowton/perf/golang-less-string-construction
Go: Consolidate repeated calls to `matches` and `regexpMatch`
2023-02-08 11:07:39 +00:00
Michael Nebel
02364d072e Java: Fix bad join in TestLibrary characteristic predicate. 2023-02-08 11:59:59 +01:00
Alvaro Muñoz
764155ce97 remove bracket 2023-02-08 11:57:03 +01:00
Michael B. Gale
3abf321071 Merge pull request #11496 from github/mbg/add/writable-file-closed-error-query
Go: Add query to detect lack of error handling for `os.File.Close` on writable handles
2023-02-08 10:53:44 +00:00
Owen Mansel-Chan
931c683146 Use regex for case-insensitive string comparisons
This is slightly more efficient.
2023-02-08 10:45:07 +00:00
erik-krogh
eb564760be improve qhelp based on doc review 2023-02-08 11:00:54 +01:00
Mathias Vorreiter Pedersen
7f09684577 Merge pull request #12121 from github/alexdenisov/extract-availability-info
Swift: extract availability info
2023-02-08 09:54:42 +00:00
Michael Nebel
f8dbbe006e C#/Java: Materialize sink/source/summary predicates to avoid join on input/output before filtering. 2023-02-08 10:04:43 +01:00
Owen Mansel-Chan
c427f8fc95 Do not import file defining a Configuration 2023-02-08 06:31:25 +00:00
Henry Mercer
6e9484970f Merge pull request #12128 from github/codeql-ci/atm/release-0.4.7
JS: Bump version numbers of ML-powered packs after 0.4.7 release
2023-02-07 22:29:20 +00:00
Henry Mercer
e972cb069e Merge branch 'main' into codeql-ci/atm/release-0.4.7 2023-02-07 21:31:08 +00:00
github-actions[bot]
4f76ebbb0b JS: Bump version of ML-powered library and query packs to 0.4.8 2023-02-07 19:44:25 +00:00
github-actions[bot]
30b2644f17 JS: Bump patch version of ML-powered library and query packs 2023-02-07 19:34:58 +00:00
Chris Smowton
99d3f689dc Consolidate repeated calls to matches and regexpMatch
This is especially useful if it avoids temporary string construction, such as toLowerCase().matches(...)
2023-02-07 19:22:49 +00:00
Robert
15b293c56d Apply copy edits 2023-02-07 17:11:47 +00:00
Geoffrey White
60e7d6b540 Swift: Move insert to RangeReplaceableCollection. 2023-02-07 17:08:23 +00:00
Geoffrey White
7cb665cde1 Swift: Move popLast to BidirectionalCollection and add popFirst. 2023-02-07 16:56:00 +00:00
Geoffrey White
d17c7bb0e8 Swift: Move first(_:), last(_:) into Sequence, BidirectionalCollection. 2023-02-07 16:47:02 +00:00
Geoffrey White
3586926157 Swift: Move first, last into Collection, BidirectionalCollection. 2023-02-07 16:36:06 +00:00
Taus
080ce09bd7 Python: Update six test expectations 2023-02-07 16:21:15 +00:00
Taus
8dea993f41 Python: Update failing test
Seems the name for the codec changed between Python 2 and 3. :)
2023-02-07 16:21:15 +00:00
Taus
49a3dd6131 Python: Clean up version handling
Depends on an internal PR.
2023-02-07 16:21:15 +00:00
Mathias Vorreiter Pedersen
334c41c3e1 Merge pull request #12122 from github/post-release-prep/codeql-cli-2.12.2
Post-release preparation for codeql-cli-2.12.2
2023-02-07 16:17:57 +00:00
Geoffrey White
b69d8625e5 Swift: Move append methods into RangeReplaceableCollection. 2023-02-07 16:07:35 +00:00
Geoffrey White
f9f08fff83 Swift: Use RangeReplaceableCollection in the test. 2023-02-07 16:03:51 +00:00
Tom Hvitved
8e8897b08b Data flow: Sync files 2023-02-07 15:15:04 +01:00
Tom Hvitved
10534b62c9 Data flow: Call context virtual dispatch pruning in stage 1 2023-02-07 15:14:27 +01:00
Robert
80a503b65d Update telemetry privacy document for UI interaction and exceptions 2023-02-07 14:00:22 +00:00
Mathias Vorreiter Pedersen
1980e25ac9 Merge pull request #12120 from MathiasVP/even-fewer-strings
C++: Avoid unnecessary calls to `toLowerCase()`
2023-02-07 13:57:12 +00:00
Alex Denisov
3448cde048 Swift: add database migration 2023-02-07 14:31:19 +01:00
Alex Denisov
712c25e6f4 Swift: extract availability info 2023-02-07 14:26:39 +01:00
github-actions[bot]
522a892d32 Post-release preparation for codeql-cli-2.12.2 2023-02-07 13:19:06 +00:00
Mathias Vorreiter Pedersen
746f04bafc C++: Construct fewer strings. 2023-02-07 11:44:32 +00:00
Tom Hvitved
984729f9b0 Merge pull request #12117 from hvitved/ruby/delay-location-to-string
Ruby: Avoid computing `Location::toString` in full
2023-02-07 12:42:03 +01:00
Mathias Vorreiter Pedersen
ff29356ae9 Merge pull request #12106 from MathiasVP/fewer-strings
C++: Replace `toUpperCase().matches("...")` with case-insensitive `regexpMatch`
2023-02-07 11:31:36 +00:00
Paolo Tranquilli
c9397a5abf Merge pull request #10950 from github/redsun82/swift-regex
Swift: extract `RegexLiteralExpr`
2023-02-07 11:30:43 +01:00
Alvaro Muñoz
642a138eaa Update Twirp.qll 2023-02-07 10:44:48 +01:00
Geoffrey White
d8616e77d5 Merge pull request #12108 from geoffw0/strings3
Swift: Remove a no-longer-needed special case from swift/unsafe-js-eval.
2023-02-07 09:44:41 +00:00
Paolo Tranquilli
a3b443c310 Swift: add upgrade/downgrade scripts for regex extraction 2023-02-07 10:21:37 +01:00
Paolo Tranquilli
ad04a408c7 Swift: add doc to RegexLiteralExpression 2023-02-07 10:21:37 +01:00
Paolo Tranquilli
50889b8fa1 Swift: move regex test to integration tests 2023-02-07 10:21:37 +01:00
Tom Hvitved
c0e3186607 Ruby: Avoid computing Location::toString in full 2023-02-07 10:06:47 +01:00
Paolo Tranquilli
d201c1eadd Swift: support linux-only tests 2023-02-07 09:41:06 +01:00
Paolo Tranquilli
a244b825df Merge branch 'main' into redsun82/swift-regex 2023-02-07 09:37:09 +01:00
Anders Schack-Mulligen
3c580896dc Merge pull request #11712 from aschackmull/java/constant-guards
Java: Apply deadcode guard to data flow nodes.
2023-02-07 09:14:20 +01:00
Harry Maclean
43ce26e4d0 Ruby: re-add Eval.rb 2023-02-07 09:37:26 +13:00
Jeroen Ketema
a4c3ea2efc Merge pull request #9245 from ihsinme/ihsinme-patch-102
CPP: Add query for CWE-805: Buffer Access with Incorrect Length Value using some functions
2023-02-06 21:24:07 +01:00
Jeroen Ketema
1c35109675 C++: Add experimental tag to experimental query 2023-02-06 20:31:26 +01:00
Jeroen Ketema
868f07bc91 Merge branch 'main' into ihsinme-patch-102 2023-02-06 20:16:53 +01:00
Geoffrey White
996536b08e Swift: Remove a no-longer-needed special case from swift/unsafe-js-eval. 2023-02-06 17:35:21 +00:00
Mathias Vorreiter Pedersen
4016299aa8 Update cpp/ql/lib/semmle/code/cpp/security/Encryption.qll
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
2023-02-06 15:55:15 +00:00
Erik Krogh Kristensen
4eebeab8a8 Merge pull request #12078 from erik-krogh/qlCache
QL: simplify the QL-for-QL workflow, which should also fix the cache
2023-02-06 16:21:45 +01:00
Mathias Vorreiter Pedersen
1c9a526afa C++: Construct fewer strings. 2023-02-06 15:18:15 +00:00
erik-krogh
9364a85e49 add Rust format check to QL-for-QL tests 2023-02-06 14:26:30 +01:00
Erik Krogh Kristensen
9360ae9638 Merge pull request #12076 from erik-krogh/poly-sink-track
PY: add tracking of strings to compile-sites for poly-redos
2023-02-06 14:21:04 +01:00
Anders Schack-Mulligen
b4607d3fab Java: Add change notes. 2023-02-06 13:55:34 +01:00
Geoffrey White
dc59ed08f9 Merge pull request #12094 from geoffw0/string2
Swift: Models for the String class
2023-02-06 11:24:19 +00:00
Chris Smowton
cd2fc6566f Merge pull request #12101 from owen-mc/go/gofmt-remove-confusing-error-message
Fix files that gofmt can't parse
2023-02-06 10:58:54 +00:00
Mathias Vorreiter Pedersen
00fe448e3a Merge pull request #12072 from aschackmull/dataflow/stage3-perf
Dataflow: Fix join in `fwdFlowRead` (take 2)
2023-02-06 10:43:11 +00:00
Erik Krogh Kristensen
f32fa25c1a Merge pull request #12100 from github/dependabot/cargo/ql/serde_json-1.0.92
build(deps): bump serde_json from 1.0.91 to 1.0.92 in /ql
2023-02-06 10:33:32 +01:00
Arthur Baars
e382d6d000 Ruby: update stats 2023-02-06 10:28:19 +01:00
Arthur Baars
ec46f33a01 Ruby: add change note 2023-02-06 10:17:19 +01:00
Arthur Baars
f391948b53 Ruby: update expected output 2023-02-06 10:17:19 +01:00
Arthur Baars
4af0c4bb03 Ruby: desugar one-line pattern matches 2023-02-06 10:17:19 +01:00
Arthur Baars
3c15fd266d Ruby: add one-line pattern match test 2023-02-06 10:17:19 +01:00
Arthur Baars
edbba85b96 Ruby: add one-line pattern matches to AST 2023-02-06 10:17:18 +01:00
Arthur Baars
e390ca50b0 Ruby: upgrade/downgrade scripts 2023-02-06 10:17:18 +01:00
Arthur Baars
90c51ef404 Ruby: re-generate dbscheme and library 2023-02-06 10:17:18 +01:00
Arthur Baars
c554a10e06 Ruby: update tree-sitter-ruby 2023-02-06 10:17:18 +01:00
Michael B. Gale
f7a2a8677a Rename change note file 2023-02-06 09:13:11 +00:00
Michael B. Gale
6c0d2bdee1 Add example without defer statement 2023-02-06 09:10:41 +00:00
Michael B. Gale
25f907867b Update expected test output 2023-02-06 08:51:46 +00:00
Michael B. Gale
abe38373da Inline precededBySync 2023-02-06 08:47:47 +00:00
Michael B. Gale
c252ec0414 Add test for deferred close that returns error 2023-02-06 08:47:47 +00:00
Michael B. Gale
e05bce9863 Update expected test results 2023-02-06 08:47:46 +00:00
Michael B. Gale
314ecab90a Use dominatesNode and improve variable naming 2023-02-06 08:47:46 +00:00
Michael B. Gale
85a339030b Make the query a path-problem 2023-02-06 08:47:46 +00:00
Michael B. Gale
199c8641ec Rename close to sink in query 2023-02-06 08:47:46 +00:00
Michael B. Gale
f648b021a9 Despecialise parameter names for precededBySync 2023-02-06 08:47:46 +00:00
Michael B. Gale
bd6c167be6 Fixup: more docs improvements 2023-02-06 08:47:46 +00:00
Michael B. Gale
f866e16679 Use any instead of exists for isCloseSink 2023-02-06 08:47:45 +00:00
Michael B. Gale
5ab6056b26 Fixup: docs comment 2023-02-06 08:47:45 +00:00
Michael B. Gale
3f446bc76e Use three-argument hasQualifiedName 2023-02-06 08:47:45 +00:00
Michael B. Gale
07041bb659 Use Method instead of Function where able 2023-02-06 08:47:45 +00:00
Michael B. Gale
416ed57583 Fix qldoc comments 2023-02-06 08:47:45 +00:00
Michael B. Gale
f321adf9f4 Fix typo
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2023-02-06 08:47:44 +00:00
Michael B. Gale
10109b4925 Fix class comments 2023-02-06 08:47:44 +00:00
Michael B. Gale
49ce91fd5b Update precision to high 2023-02-06 08:47:44 +00:00
Michael B. Gale
7e9617f3ce Detect lack of error handling for os.File.Close 2023-02-06 08:47:43 +00:00
Tamás Vajk
c03fe70b8d Merge pull request #12086 from tamasvajk/feature/fix-exception-handling-archive
C#: Change handled exception in `TrapWriter.ArchiveContents`
2023-02-06 08:53:56 +01:00
Owen Mansel-Chan
9ed7836367 Fix files that gofmt can't parse
We have some .go files that gofmt can't parse because they don't start
with "package". This was intentional, as they are fragments to be
included in .qhelp files. They don't affect the return code as gofmt
doesn't change their formatting, so this wasn't changing the result of
the check. However, it was confusing that when the check failed because
some other files weren't formatted correctly, the user would see the
stderr complaining about those files, so we capture stderr.

It would be an improvement to print which files are not formatted
correctly, but that was beyond my abilities with bash and makefiles.
2023-02-06 07:16:58 +00:00
dependabot[bot]
33e8414fc4 build(deps): bump serde_json from 1.0.91 to 1.0.92 in /ql
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.91 to 1.0.92.
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.91...v1.0.92)

---
updated-dependencies:
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-06 03:29:59 +00:00
Sim4n6
ec82d61991 Add another frequently used step 2023-02-05 14:36:17 +01:00
Chris Smowton
03385ac0b5 Merge pull request #12097 from github/smowton/admin/macos-ventura
Add MacOS Ventura to supported platforms
2023-02-04 17:54:21 +00:00
Philip Ginsbach
8cefde36bf Merge pull request #12088 from github/ginsbach/DocumentFinalAlias
document final type aliases
2023-02-04 12:23:03 +00:00
Chris Smowton
f8b574c654 Add MacOS Ventura to supported platforms
Rebase of e8bf8fe7a4
2023-02-04 08:28:03 +00:00
Harry Maclean
02b09ca9f7 Ruby: Remove unused test files 2023-02-04 14:42:59 +13:00
Harry Maclean
cfb3bc9dce Ruby: Remove unused test file 2023-02-04 14:30:56 +13:00
Harry Maclean
0711326619 Ruby: Move PosixSpawn tests to their own directory 2023-02-04 14:30:23 +13:00
Harry Maclean
dbbef0534b Ruby: Move Core tests into core directory 2023-02-04 14:28:25 +13:00
Harry Maclean
b5d98d9011 Ruby: Move GraphQL test to their own directory 2023-02-04 14:25:38 +13:00
Harry Maclean
6c816d5602 Ruby: Move ActionDispatch tests to own directory 2023-02-04 14:19:08 +13:00
Harry Maclean
58d7af4018 Ruby: Move ActionView tests into their own dir
This ensures that changes to unrelated test files don't affect these
tests.
2023-02-04 14:19:08 +13:00
Mathias Vorreiter Pedersen
7642245747 Merge pull request #12095 from github/post-release-prep/codeql-cli-2.12.2
Post-release preparation for codeql-cli-2.12.2
2023-02-04 01:03:14 +00:00
Jami Cogswell
2d7e71dfce Java: add read-file sink kind for first arg of copy 2023-02-03 17:28:46 -05:00
github-actions[bot]
57f40ccd48 Post-release preparation for codeql-cli-2.12.2 2023-02-03 21:12:22 +00:00
Alvaro Muñoz
23c7bc8143 import RequestForgery from tests.ql 2023-02-03 22:05:50 +01:00
Jami
b6805c6913 Merge pull request #11863 from jcogs33/jcogs33/update-paramsString
Java: update paramsString
2023-02-03 15:47:38 -05:00
Geoffrey White
364c173fc3 Swift: Accept additional taint flow in UnsafeJsEval test. 2023-02-03 19:21:10 +00:00
Geoffrey White
1f69fff26c Swift: Fix mistake caught by QL-for-QL. 2023-02-03 19:15:08 +00:00
Geoffrey White
f82a548cf9 Swift: Comments and formatting. 2023-02-03 18:50:51 +00:00
Geoffrey White
c666f9c845 Merge pull request #12089 from geoffw0/filedoc
Swift: QLDoc models files consistently.
2023-02-03 18:45:20 +00:00
Geoffrey White
ec72c7504c Swift: Add a partial model of Collection. 2023-02-03 18:42:42 +00:00
Geoffrey White
e357b44943 Swift: Add a partial model of Sequence. 2023-02-03 18:42:42 +00:00
Geoffrey White
4bb0bbf488 Swift: Remove redundant copies. 2023-02-03 18:42:41 +00:00
Geoffrey White
e230951a14 Swift: Model StringProtocol methods. 2023-02-03 18:42:41 +00:00
Jonas Jensen
41f7c7ae53 Merge pull request #12092 from jbj/aliases-upper-case 2023-02-03 18:40:53 +01:00
Alvaro Muñoz
04d5b7e579 make RequestForgery import private 2023-02-03 18:19:35 +01:00
Alvaro Muñoz
4b198f9af8 apply code review feedback 2023-02-03 18:12:49 +01:00
Alvaro Muñoz
844193d065 use regexp to capture generated file names 2023-02-03 18:08:56 +01:00
Alvaro Muñoz
1d0e80c2f5 Apply suggestions from code review
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2023-02-03 17:59:29 +01:00
Alvaro Muñoz
3002230af9 remove duplicated import 2023-02-03 17:48:13 +01:00
Philip Ginsbach
1ec2c2591b fix documentation generator problem 2023-02-03 16:42:07 +00:00
Owen Mansel-Chan
2f637e2c8e Remove unused variable 2023-02-03 16:36:20 +00:00
Alvaro Muñoz
c517eb89b2 add more sinks 2023-02-03 17:33:08 +01:00
Jonas Jensen
73112e401c Change type name to upper case
QL doesn't allow types to be declared in lower case, so the example did
not compile.
2023-02-03 17:30:12 +01:00
Calum Grant
7d8b624a71 Basic script to generate shared code metrics 2023-02-03 16:24:39 +00:00
Philip Ginsbach
a354e776bf document final type aliases 2023-02-03 15:59:47 +00:00
Alvaro Muñoz
20dc30d7e8 add RequestForgery test 2023-02-03 16:38:56 +01:00
Philip Ginsbach
a639f13fd9 Merge pull request #12085 from github/ginsbach/DocumentModuleSignatureMemberDefaults
document module signature member defaults
2023-02-03 15:33:00 +00:00
Alvaro Muñoz
6b3d458865 Apply suggestions from code review
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2023-02-03 16:20:21 +01:00
Alvaro Muñoz
c7637a7e1f Apply suggestions from code review
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2023-02-03 16:19:48 +01:00
Anders Schack-Mulligen
2d6d8aaa74 Java: Account for additional constants in ArrayIndexOutOfBounds query. 2023-02-03 16:16:39 +01:00
Anders Schack-Mulligen
a1aeb995e6 Java: Apply deadcode guard to data flow nodes. 2023-02-03 16:16:39 +01:00
Anders Schack-Mulligen
e8dbd65d77 Java: Refactor compile-time constant calculation and apply to ConstantIntegerExpr. 2023-02-03 16:16:27 +01:00
Alvaro Muñoz
a0cf8e786c fix SSRF sink 2023-02-03 16:16:00 +01:00
Alvaro Muñoz
7140b956e8 improve generated files matching predicates 2023-02-03 16:13:44 +01:00
Tamas Vajk
f90c5346bf C#: Change handled exception in TrapWriter.ArchiveContents 2023-02-03 15:13:23 +01:00
Geoffrey White
38eeb9c747 Swift: Model String methods. 2023-02-03 12:26:55 +00:00
Geoffrey White
1077dcd2e3 Swift: Model String initializers. 2023-02-03 11:36:35 +00:00
Philip Ginsbach
b8bd98e476 Merge pull request #12075 from github/ginsbach/RemoveIncorrectStatement
remove statement about namespaces from documentation that no longer holds
2023-02-03 11:18:07 +00:00
Geoffrey White
142ca0c9fb Swift: Model StringProtocol initializers. 2023-02-03 10:53:44 +00:00
Geoffrey White
d888510688 Swift: Fix incorrect taint to String fields. 2023-02-03 10:21:52 +00:00
Geoffrey White
d25de8c764 Swift: Taint fields of StringProtocol. 2023-02-03 10:16:33 +00:00
Philip Ginsbach
e552a6206d shadowing and visibility of default predicates 2023-02-03 10:11:25 +00:00
Geoffrey White
21abe54d8d Swift: Greatly extend tests of taint through strings. 2023-02-03 10:11:12 +00:00
Philip Ginsbach
09fdf744d4 introduce module signature member defaults 2023-02-03 10:01:59 +00:00
Geoffrey White
bf6ef43451 Swift: Document library model files consistently. 2023-02-03 09:59:35 +00:00
erik-krogh
3545bb0819 adjust qhelp based on review 2023-02-03 10:50:18 +01:00
Mathias Vorreiter Pedersen
4e7ca1a175 Merge pull request #12082 from github/post-release-prep/codeql-cli-2.12.2
Post-release preparation for codeql-cli-2.12.2
2023-02-03 09:40:57 +00:00
Philip Ginsbach
808d3e3a1f Merge pull request #12084 from github/ginsbach/IncorrectEnvironmentNumbering
we actually only distinguish four environments
2023-02-03 09:37:39 +00:00
Alvaro Muñoz
50bd0707ce remove redundant import 2023-02-03 10:19:35 +01:00
Alvaro Muñoz
3a9d650cb9 add qldocs for member predicates 2023-02-03 10:09:16 +01:00
Philip Ginsbach
56e0b19df8 we actually only distinguish four environments 2023-02-03 09:04:43 +00:00
Alvaro Muñoz
8cb022713e include review feedback 2023-02-03 10:01:55 +01:00
Arthur Baars
9a4cec7691 Merge pull request #11956 from aibaars/json-log
Ruby: structured logging
2023-02-03 09:54:49 +01:00
Alvaro Muñoz
13242df149 Apply suggestions from code review
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2023-02-03 09:45:00 +01:00
Alvaro Muñoz
dd31be43e0 Support for Twirp framework 2023-02-03 09:35:22 +01:00
github-actions[bot]
faf21f3edb Post-release preparation for codeql-cli-2.12.2 2023-02-02 23:01:04 +00:00
erik-krogh
6e712b293a add tracking of strings to compile-sites for poly-redos, in the style of Ruby 2023-02-02 22:56:20 +01:00
Jami Cogswell
30b1a2edbc Java: add first argument to copy sink 2023-02-02 16:20:54 -05:00
Jami Cogswell
61a8f5e425 Java: add signature to createTempDirectory sink 2023-02-02 16:19:20 -05:00
erik-krogh
34266cfa4c simplify the QL-for-QL workflow, which should also fix the cache 2023-02-02 22:17:38 +01:00
Sim4n6
a0150849cb Updated the expected test file 2023-02-02 21:42:47 +01:00
Sim4n6
1a8c9abee2 Incorporate Sink & Source as steps from TarSlipQry 2023-02-02 21:09:40 +01:00
erik-krogh
52959d7c0a add failing test for not tracking strings to re.compile 2023-02-02 19:10:32 +01:00
Erik Krogh Kristensen
c8cfb6a0cc Merge pull request #12065 from knewbury01/knewbury01/fix-js-cleartext-logging-doc
Update JS CleartextLogging qhelp
2023-02-02 18:23:59 +01:00
Philip Ginsbach
55cd436b06 Merge pull request #12074 from github/ginsbach/DocumentShadowing2
shadowing in the QL language specification
2023-02-02 17:13:47 +00:00
Philip Ginsbach
1542353af7 statement no longer holds for namespaces with shadowing 2023-02-02 16:55:06 +00:00
Alvaro Muñoz
2576a09af9 remove unnecessary line 2023-02-02 17:50:50 +01:00
Nora Dimitrijević
a3a01ddc11 Merge pull request #11855 from d10c/swift/extract-captures 2023-02-02 17:50:41 +01:00
Philip Ginsbach
ab184ebd78 shadowing in the QL language specification 2023-02-02 16:19:18 +00:00
Kristen Newbury
21b4931fbb Merge branch 'main' into knewbury01/fix-js-cleartext-logging-doc 2023-02-02 11:12:57 -05:00
Kristen Newbury
231110ddca Update javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
2023-02-02 11:12:44 -05:00
Henry Mercer
65863f1fc7 Merge pull request #10826 from github/dependabot/github_actions/actions/setup-dotnet-3.0.2
build(deps): bump actions/setup-dotnet from 2 to 3
2023-02-02 15:54:55 +00:00
Philip Ginsbach
1472d4b782 Merge pull request #12062 from github/ginsbach/DocumentShadowing
shadowing in the handbook
2023-02-02 15:52:54 +00:00
Anders Schack-Mulligen
67d4ed53b9 Dataflow: Sync. 2023-02-02 16:33:00 +01:00
Anders Schack-Mulligen
8cb233df1a Dataflow: A proper perf fix for the stage-dependent fanout direction of the Content-to-Ap relation. 2023-02-02 16:31:07 +01:00
Michael Nebel
77283be6c0 Merge pull request #12068 from michaelnebel/csharp/dotnetpublishtest
C#: Avoid that the dotnet publish test refers to a specific .NET vers…
2023-02-02 15:34:06 +01:00
Michael Nebel
960f776e29 C#: Avoid that the dotnet publish test refers to a specific .NET version. 2023-02-02 14:18:50 +01:00
Philip Ginsbach
4282e1a18e explicitly mention aliases 2023-02-02 13:04:43 +00:00
Philip Ginsbach
2b719d503d visible namespaces also include private imports 2023-02-02 13:03:30 +00:00
Michael Nebel
ae10a6beb0 C#: Check that we get AST for struct that doesn't initialize all fields. 2023-02-02 12:50:59 +01:00
Nora Dimitrijević
ad5dbe18a4 Swift: db upgrade/downgrade script 2023-02-02 12:00:47 +01:00
Nora Dimitrijević
50e5b29eb7 Swift: all Callables can have captures [codegen'd] 2023-02-02 11:56:51 +01:00
Nora Dimitrijević
ce2e7f1d12 Swift: all Callables can have captures [hand-written] 2023-02-02 11:35:50 +01:00
Nora Dimitrijević
d230431006 Swift: extract closure captures (codegen'd part) 2023-02-02 11:35:49 +01:00
Nora Dimitrijević
6895c113cf Swift: extract closure captures (hand-written part) 2023-02-02 11:30:33 +01:00
Nora Dimitrijević
87f7bc3a63 Swift: introduce closure capture AST test 2023-02-02 11:30:33 +01:00
Michael Nebel
470e4b64ea C#: Delete assembly load code as it always throws a PlatformNotSupported exception. 2023-02-02 10:06:04 +01:00
dependabot[bot]
787fe38d90 build(deps): bump actions/setup-dotnet from 2 to 3.0.2
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 2 to 3.0.2.
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](https://github.com/actions/setup-dotnet/compare/v2...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/setup-dotnet
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-02 08:09:43 +00:00
Kristen Newbury
dc5eb40d5f Update JS CleartextLogging qhelp 2023-02-01 16:29:13 -05:00
Alvaro Muñoz
d6f1dfa205 update tests 2023-02-01 17:58:32 +01:00
Philip Ginsbach
c5deb8544b rework documentation of namespaces to take account of shadowing 2023-02-01 16:56:35 +00:00
Alvaro Muñoz
4d6b35f891 apply gofmt 2023-02-01 14:51:48 +01:00
Alvaro Muñoz
70a151af02 add change-notes 2023-02-01 14:49:30 +01:00
Alvaro Muñoz
a3188f2e10 address review feedback 2023-02-01 14:43:51 +01:00
Alvaro Muñoz
3502ab6523 fix missing QLDocs and refactor ServiceInterface 2023-02-01 14:37:38 +01:00
Alvaro Muñoz
afa6b1cec5 Initial support for Twirp framework 2023-02-01 13:55:09 +01:00
Arthur Baars
a46061541b Ruby: address review comment 2023-02-01 09:59:05 +01:00
Arthur Baars
fa81d9da18 Apply suggestions from code review
Co-authored-by: Harry Maclean <hmac@github.com>
2023-02-01 09:47:39 +01:00
Arthur Baars
57012714d6 Ruby: serialize timestamps as ISO8601 2023-01-31 14:32:29 +01:00
Arthur Baars
d944c2bd79 Ruby: address comments 2023-01-31 10:22:12 +01:00
erik-krogh
31743afa87 add change-note 2023-01-30 16:34:23 +01:00
erik-krogh
e01002368f add query detecting validators that use badly anchored regular expressions on library/remote input 2023-01-30 16:34:20 +01:00
Arthur Baars
907ebb723e Merge branch 'main' into json-log 2023-01-30 10:49:42 +01:00
Sim4n6
7079def7ce Add an S3 source with Session or download_fileobj 2023-01-30 00:49:23 +01:00
Sim4n6
0707064ab5 Constrain the save/path step 2023-01-28 10:14:24 +01:00
Sim4n6
a4aaf0ec6f Remove a write step & update the builtin open step 2023-01-28 09:53:54 +01:00
Sim4n6
0e2f37825d Organize steps to correspond to the sample code 2023-01-27 23:58:03 +01:00
Sim4n6
ee213123ac Add builtin open as an additional step 2023-01-27 18:16:11 +01:00
Sim4n6
0b27b1314a Update python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
Co-authored-by: yoff <lerchedahl@gmail.com>
2023-01-27 16:12:08 +01:00
Sim4n6
7a126a2317 Merge branch 'github:main' into UnsafeUnpack 2023-01-27 16:09:41 +01:00
Sim4n6
8ef2aa00e7 Update python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
Co-authored-by: yoff <lerchedahl@gmail.com>
2023-01-27 16:07:39 +01:00
Sim4n6
207ed3da9c Constrain the object & the call 2023-01-27 15:07:20 +01:00
Sim4n6
18d8bbc9a4 Updated the expected results accordingly 2023-01-27 14:05:25 +01:00
Sim4n6
e41042418a Update the import relative to the dataflow config 2023-01-27 13:46:57 +01:00
Sim4n6
5f0bf1053a Update the dataflow test query and the expected results 2023-01-27 13:42:57 +01:00
Sim4n6
bca053f855 Move the config query to the parent directory 2023-01-27 13:42:14 +01:00
Sim4n6
998f1bf215 Some reformatting 2023-01-26 18:54:36 +01:00
Nora
5993b60980 Update copy 2023-01-26 17:37:15 +01:00
Sim4n6
1a211485a4 Restrain the source and add two steps. 2023-01-26 17:07:59 +01:00
Sim4n6
51b11de44a Add a Django Upload examples 2023-01-26 15:16:24 +01:00
Sim4n6
54cc4d6498 Opt for any source from RemoteFlowSource. 2023-01-26 12:51:55 +01:00
Sim4n6
aaa0040612 Seperate the dataflow config from the query 2023-01-26 08:53:47 +01:00
Sim4n6
9464940214 Add expected results for argparse source 2023-01-26 01:00:19 +01:00
Sim4n6
2e4cb63049 Optimize the Argparse filename as a source. 2023-01-26 01:00:01 +01:00
Sim4n6
f867c9008f Commit the expected results 2023-01-26 00:08:54 +01:00
Sim4n6
9b5b0c60b8 Handle the download of a tarball using wget pkg. 2023-01-26 00:02:20 +01:00
Sim4n6
22af6f5182 Restrict download_file() to boto3 lib 2023-01-25 23:00:00 +01:00
Sim4n6
2d38993075 Add a missing "and" 2023-01-25 19:46:13 +01:00
Sim4n6
0ed480855a Update python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
Yes, definitely

Co-authored-by: yoff <lerchedahl@gmail.com>
2023-01-25 19:44:28 +01:00
Sim4n6
10d6ebf95b Use of inline tests for dataflow queries 2023-01-25 19:28:05 +01:00
Sim4n6
b5a6f6e165 Merge pull request #1 from github/main
Sync with the upstream
2023-01-25 19:13:35 +01:00
erik-krogh
80d05c0425 also recognize protected methods as library-input sources 2023-01-24 20:55:25 +01:00
erik-krogh
a017b7500b Merge branch 'main' into rbPoly 2023-01-24 20:51:36 +01:00
erik-krogh
49f5e89f36 update expected output for experimental query 2023-01-23 22:29:49 +01:00
erik-krogh
3cece50f78 add encodeURIComponent as a sanitizer for request-forgery 2023-01-23 13:53:53 +01:00
erik-krogh
be8ef1b324 add failing test 2023-01-23 13:52:36 +01:00
Arthur Baars
2b9bc3c7e3 Ruby: write errors to json log 2023-01-20 20:11:55 +01:00
Arthur Baars
d5e60dfb22 Ruby: pass diagnostics::LogWriter to extractor 2023-01-19 13:53:56 +01:00
Arthur Baars
e85e61b6d7 Ruby: add diagnostics module 2023-01-18 16:28:16 +01:00
Jami
c725c447ac Merge branch 'main' into jcogs33/update-paramsString 2023-01-12 08:24:57 -05:00
Jami Cogswell
faae811be7 Java: try simplification of paramsString and paramsStringPart 2023-01-10 13:35:52 -05:00
Jami Cogswell
65aa064838 Java: update paramsString qldoc 2023-01-10 13:33:47 -05:00
erik-krogh
d67e756f42 make the import of Gem private 2023-01-09 09:13:01 +01:00
Sim4n6
4376870a51 An uploded file is considered a source 2022-12-15 23:39:02 +01:00
Paolo Tranquilli
de2e92d5e1 Swift: remove / delimiters from regex extracted patterns 2022-12-14 09:18:36 +01:00
Paolo Tranquilli
fb5b6eab19 Swift: extract RegexLiteralExpr 2022-12-14 09:12:07 +01:00
ALJI Mohamed
54109b8ea7 Add source wget.download 2022-12-13 15:34:01 +01:00
ALJI Mohamed
2f68b54b27 A simple download_file() call from maybe boto3 2022-12-12 19:46:34 +01:00
ALJI Mohamed
b19452467d read by chunks as additional step 2022-12-10 21:59:14 +01:00
ALJI Mohamed
eff132512c Copying the response data to the archive 2022-12-10 08:15:42 +01:00
ALJI Mohamed
545aab0e07 tarball path provided using CLI argument (source) 2022-12-09 15:54:43 +01:00
ALJI Mohamed
9336f4f1a2 Considering the use of contextlib.closing() method 2022-12-08 12:26:59 +01:00
ALJI Mohamed
2801b8495a A fix of the tag name 2022-12-06 14:50:47 +01:00
ALJI Mohamed
4896e62117 Use of more generic terms 2022-12-06 14:44:52 +01:00
Sim4n6
58570b4d2c Update python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2022-12-06 14:40:48 +01:00
Sim4n6
9a60202de6 Update python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.qhelp
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2022-12-06 14:40:35 +01:00
Sim4n6
c22c0b5029 Update python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.qhelp
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2022-12-06 14:39:16 +01:00
ALJI Mohamed
a5849eb9b0 Improved the additional taint step using InstanceSource 2022-12-06 14:00:08 +01:00
ALJI Mohamed
054c06be65 Update UnsafeUnpack.ql 2022-12-06 02:51:07 +01:00
ALJI Mohamed
68fd75ca34 UnpackUnsafe query and tests 2022-12-05 17:20:22 +01:00
erik-krogh
2ad28ab4db add library inputs as a source to poly-redos 2022-11-22 13:05:34 +01:00
ihsinme
65c9a7b278 Update BufferAccessWithIncorrectLengthValue.ql 2022-06-26 13:49:44 +03:00
ihsinme
c1f0940b6a Update cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
2022-06-23 12:50:59 +03:00
ihsinme
5609d5200b Update cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
2022-05-30 20:41:39 +03:00
ihsinme
9499961a9c Update BufferAccessWithIncorrectLengthValue.ql 2022-05-30 12:43:28 +03:00
ihsinme
d489c12014 Update BufferAccessWithIncorrectLengthValue.ql 2022-05-30 12:26:26 +03:00
ihsinme
475e36e6fc Update BufferAccessWithIncorrectLengthValue.ql 2022-05-29 09:58:16 +03:00
ihsinme
df1ea5b679 Update BufferAccessWithIncorrectLengthValue.qhelp 2022-05-29 09:56:29 +03:00
ihsinme
5a9061e45b create new branchihsinme-patch-102 in fork 2022-05-21 14:19:34 +00:00
1070 changed files with 168296 additions and 14851 deletions

View File

@@ -9,7 +9,7 @@ inputs:
outputs:
cache-dir:
description: "The directory where the cache was stored"
value: ${{ steps.fill-compilation-dir.outputs.compdir }}
value: ${{ steps.output-compilation-dir.outputs.compdir }}
runs:
using: composite
@@ -27,7 +27,9 @@ runs:
if: ${{ github.event_name == 'pull_request' }}
uses: actions/cache/restore@v3
with:
path: '**/.cache'
path: |
**/.cache
~/.codeql/compile-cache
key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
restore-keys: |
codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
@@ -37,18 +39,111 @@ runs:
if: ${{ github.event_name != 'pull_request' }}
uses: actions/cache@v3
with:
path: '**/.cache'
path: |
**/.cache
~/.codeql/compile-cache
key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
restore-keys: | # restore the latest cache if the exact cache is unavailable, to speed up compilation.
codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
codeql-compile-${{ inputs.key }}-main-
- name: Fill compilation cache directory
id: fill-compilation-dir
- name: Output-compilationdir
id: output-compilation-dir
shell: bash
run: |
# Move all the existing cache into another folder, so we only preserve the cache for the current queries.
node $GITHUB_WORKSPACE/.github/actions/cache-query-compilation/move-caches.js ${COMBINED_CACHE_DIR}
echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
env:
COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
- name: Fill compilation cache directory
id: fill-compilation-dir
uses: actions/github-script@v6
env:
COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
with:
script: |
// # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
// mkdir -p ${COMBINED_CACHE_DIR}
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
// # copy the contents of the .cache folders into the combined cache folder.
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
// # clean up the .cache folders
// rm -rf **/.cache/*
const fs = require("fs");
const path = require("path");
const os = require("os");
// the first argv is the cache folder to create.
const COMBINED_CACHE_DIR = process.env.COMBINED_CACHE_DIR;
function* walkCaches(dir) {
const files = fs.readdirSync(dir, { withFileTypes: true });
for (const file of files) {
if (file.isDirectory()) {
const filePath = path.join(dir, file.name);
yield* walkCaches(filePath);
if (file.name === ".cache") {
yield filePath;
}
}
}
}
async function copyDir(src, dest) {
for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
const srcPath = path.join(src, file.name);
const destPath = path.join(dest, file.name);
if (file.isDirectory()) {
if (!fs.existsSync(destPath)) {
fs.mkdirSync(destPath);
}
await copyDir(srcPath, destPath);
} else {
await fs.promises.copyFile(srcPath, destPath);
}
}
}
async function main() {
const cacheDirs = [...walkCaches(".")];
for (const dir of cacheDirs) {
console.log(`Found .cache dir at ${dir}`);
}
const globalCacheDir = path.join(os.homedir(), ".codeql", "compile-cache");
if (fs.existsSync(globalCacheDir)) {
console.log("Found global home dir: " + globalCacheDir);
cacheDirs.push(globalCacheDir);
}
if (cacheDirs.length === 0) {
console.log("No cache dirs found");
return;
}
// mkdir -p ${COMBINED_CACHE_DIR}
fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
await Promise.all(
cacheDirs.map((cacheDir) =>
(async function () {
await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
})()
)
);
// # copy the contents of the .cache folders into the combined cache folder.
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
await Promise.all(
cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
);
// # clean up the .cache folders
// rm -rf **/.cache/*
await Promise.all(
cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
);
}
main();

View File

@@ -1,75 +0,0 @@
// # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
// mkdir -p ${COMBINED_CACHE_DIR}
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
// # copy the contents of the .cache folders into the combined cache folder.
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
// # clean up the .cache folders
// rm -rf **/.cache/*
const fs = require("fs");
const path = require("path");
// the first argv is the cache folder to create.
const COMBINED_CACHE_DIR = process.argv[2];
function* walkCaches(dir) {
const files = fs.readdirSync(dir, { withFileTypes: true });
for (const file of files) {
if (file.isDirectory()) {
const filePath = path.join(dir, file.name);
yield* walkCaches(filePath);
if (file.name === ".cache") {
yield filePath;
}
}
}
}
async function copyDir(src, dest) {
for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
const srcPath = path.join(src, file.name);
const destPath = path.join(dest, file.name);
if (file.isDirectory()) {
if (!fs.existsSync(destPath)) {
fs.mkdirSync(destPath);
}
await copyDir(srcPath, destPath);
} else {
await fs.promises.copyFile(srcPath, destPath);
}
}
}
async function main() {
const cacheDirs = [...walkCaches(".")];
for (const dir of cacheDirs) {
console.log(`Found .cache dir at ${dir}`);
}
// mkdir -p ${COMBINED_CACHE_DIR}
fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
await Promise.all(
cacheDirs.map((cacheDir) =>
(async function () {
await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
})()
)
);
// # copy the contents of the .cache folders into the combined cache folder.
// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
await Promise.all(
cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
);
// # clean up the .cache folders
// rm -rf **/.cache/*
await Promise.all(
cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
);
}
main();

View File

@@ -1,26 +0,0 @@
name: Find Latest CodeQL Bundle
description: Finds the URL of the latest released version of the CodeQL bundle.
outputs:
url:
description: The download URL of the latest CodeQL bundle release
value: ${{ steps.find-latest.outputs.url }}
runs:
using: composite
steps:
- name: Find Latest Release
id: find-latest
shell: pwsh
run: |
$Latest = gh release list --repo github/codeql-action --exclude-drafts --limit 1000 |
ForEach-Object { $C = $_ -split "`t"; return @{ type = $C[1]; tag = $C[2]; } } |
Where-Object { $_.type -eq 'Latest' }
$Tag = $Latest.tag
if ($Tag -eq '') {
throw 'Failed to find latest bundle release.'
}
Write-Output "Latest bundle tag is '${Tag}'."
"url=https://github.com/github/codeql-action/releases/download/${Tag}/codeql-bundle-linux64.tar.gz" >> $env:GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ github.token }}

View File

@@ -28,7 +28,7 @@ jobs:
steps:
- name: Setup dotnet
uses: actions/setup-dotnet@v2
uses: actions/setup-dotnet@v3
with:
dotnet-version: 7.0.102

View File

@@ -24,14 +24,14 @@ jobs:
with:
key: all-queries
- name: check formatting
run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 codeql query format --check-only
run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
- name: compile queries - check-only
# run with --check-only if running in a PR (github.sha != main)
if : ${{ github.event_name == 'pull_request' }}
shell: bash
run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
- name: compile queries - full
# do full compile if running on main - this populates the cache
if : ${{ github.event_name != 'pull_request' }}
shell: bash
run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"

View File

@@ -12,10 +12,10 @@ jobs:
name: Test MacOS
runs-on: macos-latest
steps:
- name: Set up Go 1.19
- name: Set up Go 1.20
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: 1.20.0
id: go
- name: Check out code
@@ -47,10 +47,10 @@ jobs:
name: Test Windows
runs-on: windows-latest-xl
steps:
- name: Set up Go 1.19
- name: Set up Go 1.20
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: 1.20.0
id: go
- name: Check out code

View File

@@ -20,10 +20,10 @@ jobs:
name: Test Linux (Ubuntu)
runs-on: ubuntu-latest-xl
steps:
- name: Set up Go 1.19
- name: Set up Go 1.20
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: 1.20.0
id: go
- name: Check out code

View File

@@ -5,13 +5,6 @@ on:
branches: [main]
pull_request:
branches: [main]
paths:
- "ql/**"
- "**.qll"
- "**.ql"
- "**.dbscheme"
- "**/qlpack.yml"
- ".github/workflows/ql-for-ql-build.yml"
env:
CARGO_TERM_COLOR: always
@@ -22,66 +15,26 @@ jobs:
steps:
### Build the queries ###
- uses: actions/checkout@v3
- name: Find latest bundle
id: find-latest-bundle
uses: ./.github/actions/find-latest-bundle
with:
fetch-depth: 0
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
uses: github/codeql-action/init@v2
with:
languages: javascript # does not matter
tools: ${{ steps.find-latest-bundle.outputs.url }}
- name: Get CodeQL version
id: get-codeql-version
run: |
echo "version=$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)" >> $GITHUB_OUTPUT
shell: bash
env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
- uses: ./.github/actions/os-version
id: os_version
- name: Cache entire pack
id: cache-pack
uses: actions/cache@v3
with:
path: ${{ runner.temp }}/pack
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
- name: Cache queries
if: steps.cache-pack.outputs.cache-hit != 'true'
id: cache-queries
uses: actions/cache@v3
with:
path: ${{ runner.temp }}/queries
key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
- name: Build query pack
if: steps.cache-queries.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: |
cd ql/ql/src
"${CODEQL}" pack create -j 16
mv .codeql/pack/codeql/ql/0.0.0 ${{ runner.temp }}/queries
env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
- name: Move cache queries to pack
if: steps.cache-pack.outputs.cache-hit != 'true'
run: |
cp -r ${{ runner.temp }}/queries ${{ runner.temp }}/pack
env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
### Build the extractor ###
- name: Cache entire extractor
if: steps.cache-pack.outputs.cache-hit != 'true'
id: cache-extractor
uses: actions/cache@v3
with:
path: |
ql/target/release/ql-autobuilder
ql/target/release/ql-autobuilder.exe
ql/target/release/ql-extractor
ql/target/release/ql-extractor.exe
ql/extractor-pack/
ql/target/release/buramu
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
- name: Cache cargo
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
if: steps.cache-extractor.outputs.cache-hit != 'true'
uses: actions/cache@v3
with:
path: |
@@ -89,77 +42,33 @@ jobs:
~/.cargo/git
ql/target
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
- name: Check formatting
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: cd ql; cargo fmt --all -- --check
- name: Build
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: cd ql; cargo build --verbose
- name: Run tests
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: cd ql; cargo test --verbose
- name: Release build
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: cd ql; cargo build --release
- name: Generate dbscheme
if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
### Package the queries and extractor ###
- name: Package pack
if: steps.cache-pack.outputs.cache-hit != 'true'
run: |
cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats ${PACK}/
mkdir -p ${PACK}/tools/linux64
cp ql/target/release/ql-autobuilder ${PACK}/tools/linux64/autobuilder
cp ql/target/release/ql-extractor ${PACK}/tools/linux64/extractor
chmod +x ${PACK}/tools/linux64/autobuilder
chmod +x ${PACK}/tools/linux64/extractor
if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd ql; ./scripts/create-extractor-pack.sh
env:
PACK: ${{ runner.temp }}/pack
### Run the analysis ###
- name: Hack codeql-action options
GH_TOKEN: ${{ github.token }}
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: run-ql-for-ql
- name: Make database and analyze
run: |
JSON=$(jq -nc --arg pack "${PACK}" '.database."run-queries"=["--search-path", $pack] | .resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .resolve.languages=["--search-path", $pack] | .database.init=["--search-path", $pack]')
echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
env:
PACK: ${{ runner.temp }}/pack
- name: Create CodeQL config file
run: |
echo "paths-ignore:" >> ${CONF}
echo " - ql/ql/test" >> ${CONF}
echo " - \"*/ql/lib/upgrades/\"" >> ${CONF}
echo "disable-default-queries: true" >> ${CONF}
echo "queries:" >> ${CONF}
echo " - uses: ./ql/ql/src/codeql-suites/ql-code-scanning.qls" >> ${CONF}
echo "Config file: "
cat ${CONF}
env:
CONF: ./ql-for-ql-config.yml
- name: Initialize CodeQL
uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
${CODEQL} database create -l=ql --search-path ql/extractor-pack ${DB}
${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
DB: ${{ runner.temp }}/DB
LGTM_INDEX_FILTERS: |
exclude:ql/ql/test
exclude:*/ql/lib/upgrades/
exclude:java/ql/integration-tests
- name: Upload sarif to code-scanning
uses: github/codeql-action/upload-sarif@v2
with:
languages: ql
db-location: ${{ runner.temp }}/db
config-file: ./ql-for-ql-config.yml
tools: ${{ steps.find-latest-bundle.outputs.url }}
- name: Move pack queries
run: |
cp -r ${PACK}/queries ql/ql/src
env:
PACK: ${{ runner.temp }}/pack
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
with:
category: "ql-for-ql"
- name: Copy sarif file to CWD
run: cp ../results/ql.sarif ./ql-for-ql.sarif
- name: Fixup the $scema in sarif # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
run: |
sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif
sarif_file: ql-for-ql.sarif
category: ql-for-ql
- name: Sarif as artifact
uses: actions/upload-artifact@v3
with:

View File

@@ -25,7 +25,7 @@ jobs:
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
uses: github/codeql-action/init@v2
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version

View File

@@ -24,7 +24,7 @@ jobs:
- uses: actions/checkout@v3
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
uses: github/codeql-action/init@v2
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
@@ -36,6 +36,8 @@ jobs:
~/.cargo/git
ql/target
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
- name: Check formatting
run: cd ql; cargo fmt --all -- --check
- name: Build extractor
run: |
cd ql;
@@ -67,7 +69,7 @@ jobs:
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
uses: github/codeql-action/init@v2
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version

View File

@@ -2,9 +2,9 @@
/csharp/ @github/codeql-csharp
/go/ @github/codeql-go
/java/ @github/codeql-java
/javascript/ @github/codeql-javascript
/python/ @github/codeql-python
/ruby/ @github/codeql-ruby
/javascript/ @github/codeql-dynamic
/python/ @github/codeql-dynamic
/ruby/ @github/codeql-dynamic
/swift/ @github/codeql-swift
/java/kotlin-extractor/ @github/codeql-kotlin
/java/kotlin-explorer/ @github/codeql-kotlin

View File

@@ -131,6 +131,14 @@ namespace Semmle.Autobuild.Cpp.Tests
bool IBuildActions.IsWindows() => IsWindows;
public bool IsMacOs { get; set; }
bool IBuildActions.IsMacOs() => IsMacOs;
public bool IsArm { get; set; }
bool IBuildActions.IsArm() => IsArm;
string IBuildActions.PathCombine(params string[] parts)
{
return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));

View File

@@ -1,3 +1,7 @@
## 0.5.3
No user-facing changes.
## 0.5.2
No user-facing changes.

View File

@@ -0,0 +1,3 @@
## 0.5.3
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.2
lastReleaseVersion: 0.5.3

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -707,8 +707,8 @@ private module Cached {
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference.
*/
pragma[nomagic]
private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
cached
DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
result = viableCallable(call)
or
@@ -1391,6 +1391,9 @@ class TypedContentApprox extends MkTypedContentApprox {
/** Gets a typed content approximated by this value. */
TypedContent getATypedContent() { result = getATypedContent(this) }
/** Gets the content. */
ContentApprox getContent() { result = c }
/** Gets the container type. */
DataFlowType getContainerType() { result = t }
@@ -1408,6 +1411,8 @@ abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
abstract boolean toBoolNonEmpty();
TypedContentApprox getHead() { this = TApproxFrontHead(result) }
pragma[nomagic]
TypedContent getAHead() {
exists(TypedContentApprox cont |

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.5.2
version: 0.5.4-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -707,8 +707,8 @@ private module Cached {
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference.
*/
pragma[nomagic]
private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
cached
DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
result = viableCallable(call)
or
@@ -1391,6 +1391,9 @@ class TypedContentApprox extends MkTypedContentApprox {
/** Gets a typed content approximated by this value. */
TypedContent getATypedContent() { result = getATypedContent(this) }
/** Gets the content. */
ContentApprox getContent() { result = c }
/** Gets the container type. */
DataFlowType getContainerType() { result = t }
@@ -1408,6 +1411,8 @@ abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
abstract boolean toBoolNonEmpty();
TypedContentApprox getHead() { this = TApproxFrontHead(result) }
pragma[nomagic]
TypedContent getAHead() {
exists(TypedContentApprox cont |

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -707,8 +707,8 @@ private module Cached {
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference.
*/
pragma[nomagic]
private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
cached
DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
result = viableCallable(call)
or
@@ -1391,6 +1391,9 @@ class TypedContentApprox extends MkTypedContentApprox {
/** Gets a typed content approximated by this value. */
TypedContent getATypedContent() { result = getATypedContent(this) }
/** Gets the content. */
ContentApprox getContent() { result = c }
/** Gets the container type. */
DataFlowType getContainerType() { result = t }
@@ -1408,6 +1411,8 @@ abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
abstract boolean toBoolNonEmpty();
TypedContentApprox getHead() { this = TApproxFrontHead(result) }
pragma[nomagic]
TypedContent getAHead() {
exists(TypedContentApprox cont |

View File

@@ -64,7 +64,7 @@ predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgori
*/
bindingset[name]
predicate isEncryptionAdditionalEvidence(string name) {
name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY", "CIPHER", "MAC"] + "%")
name.regexpMatch("(?i).*(crypt|code|coding|cbc|key|cipher|mac).*")
}
/**

View File

@@ -14,8 +14,8 @@ import cpp
*/
bindingset[s]
private predicate suspicious(string s) {
s.regexpMatch(".*(password|passwd|accountid|account.?key|accnt.?key|license.?key|trusted).*") and
not s.matches(["%hash%", "%crypt%", "%file%", "%path%", "%invalid%"])
s.regexpMatch("(?i).*(password|passwd|accountid|account.?key|accnt.?key|license.?key|trusted).*") and
not s.regexpMatch("(?i).*(hash|crypt|file|path|invalid).*")
}
/**
@@ -23,7 +23,7 @@ private predicate suspicious(string s) {
*/
class SensitiveVariable extends Variable {
SensitiveVariable() {
suspicious(this.getName().toLowerCase()) and
suspicious(this.getName()) and
not this.getUnspecifiedType() instanceof IntegralType
}
}
@@ -33,7 +33,7 @@ class SensitiveVariable extends Variable {
*/
class SensitiveFunction extends Function {
SensitiveFunction() {
suspicious(this.getName().toLowerCase()) and
suspicious(this.getName()) and
not this.getUnspecifiedType() instanceof IntegralType
}
}

View File

@@ -1,3 +1,7 @@
## 0.5.3
No user-facing changes.
## 0.5.2
No user-facing changes.

View File

@@ -0,0 +1,3 @@
## 0.5.3
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.2
lastReleaseVersion: 0.5.3

View File

@@ -0,0 +1,8 @@
...
char buf[256];
X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof(buf)); // GOOD
...
char buf[256];
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD
...

View File

@@ -0,0 +1,23 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using a size argument that is larger than the buffer size will result in an out-of-bounds memory access and possibly overflow. You need to limit the value of the length argument.</p>
</overview>
<example>
<p>The following example shows the use of a function with and without an error in the size argument.</p>
<sample src="BufferAccessWithIncorrectLengthValue.cpp" />
</example>
<references>
<li>
CERT Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR38-C.+Guarantee+that+library+functions+do+not+form+invalid+pointers">ARR38-C. Guarantee that library functions do not form invalid pointers - SEI CERT C Coding Standard - Confluence</a>.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,76 @@
/**
* @name Buffer access with incorrect length value
* @description Incorrect use of the length argument in some functions will result in out-of-memory accesses.
* @kind problem
* @id cpp/buffer-access-with-incorrect-length-value
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* experimental
* external/cwe/cwe-805
*/
import cpp
/** Holds for a function `f`, which has an argument at index `bpos` that points to a buffer and an argument at index `spos` that points to a size. */
predicate numberArgument(Function f, int bpos, int spos) {
f.hasGlobalOrStdName([
"X509_NAME_oneline", "SSL_CIPHER_description", "SSL_get_shared_ciphers",
"SSL_export_keying_material_early", "SSL_export_keying_material", "SSL_set_alpn_protos",
"SSL_CTX_set_alpn_protos", "SSL_read", "SSL_read_ex", "SSL_read_early_data",
"SSL_bytes_to_cipher_list", "SSL_write", "SSL_SESSION_set1_master_key",
"SSL_CTX_set_session_id_context", "BIO_gets", "BIO_read", "BIO_read_ex", "BIO_write",
"BIO_write_ex", "BIO_ctrl", "BN_bn2binpad", "BN_signed_bn2bin", "BN_signed_bn2lebin",
"EVP_PKEY_get_default_digest_name", "EVP_DigestUpdate", "EVP_PKEY_CTX_set1_tls1_prf_secret",
"EVP_KDF_derive", "EVP_CIPHER_CTX_get_updated_iv", "EVP_PKEY_get_group_name", "EVP_MAC_init",
"write", "read", "send", "sendto", "recv", "recvfrom", "strerror_r"
]) and
bpos = 1 and
spos = 2
or
f.hasGlobalOrStdName(["X509_NAME_get_text_by_NID", "EVP_PKEY_get_utf8_string_param"]) and
bpos = 2 and
spos = 3
or
f.hasGlobalOrStdName([
"BIO_snprintf", "BN_signed_lebin2bn", "BIO_new_mem_buf", "BN_lebin2bn", "BN_bin2bn",
"EVP_read_pw_string", "EVP_read_pw_string", "strftime", "strnlen", "fgets", "snprintf",
"vsnprintf"
]) and
bpos = 0 and
spos = 1
or
f.hasGlobalOrStdName(["AES_ige_encrypt", "memchr"]) and bpos = 0 and spos = 2
or
f.hasGlobalOrStdName("EVP_MAC_final") and bpos = 1 and spos = 3
or
f.hasGlobalOrStdName("OBJ_obj2txt") and bpos = 2 and spos = 1
or
f.hasGlobalOrStdName("EVP_CIPHER_CTX_ctrl") and bpos = 3 and spos = 2
or
f.hasGlobalOrStdName(["EVP_PKEY_get_octet_string_param", "getnameinfo"]) and bpos = 2 and spos = 3
or
f.hasGlobalOrStdName([
"EVP_DecryptUpdate", "EVP_EncryptUpdate", "EVP_PKEY_encrypt", "EVP_PKEY_sign",
"EVP_CipherUpdate"
]) and
bpos = 3 and
spos = 4
or
f.hasGlobalOrStdName("getnameinfo") and bpos = 4 and spos = 5
}
from FunctionCall fc
where
exists(ArrayType array, int bufArgPos, int sizeArgPos |
numberArgument(fc.getTarget(), bufArgPos, sizeArgPos) and
fc.getArgument(pragma[only_bind_into](sizeArgPos)).getValue().toInt() > array.getByteSize() and
fc.getArgument(pragma[only_bind_into](bufArgPos))
.(VariableAccess)
.getTarget()
.getADeclarationEntry()
.getType() = array
)
select fc,
"Access beyond the bounds of the allocated memory is possible, the size argument used is greater than the size of the buffer."

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.5.2
version: 0.5.4-dev
groups:
- cpp
- queries

View File

@@ -0,0 +1 @@
| test.cpp:27:5:27:21 | call to X509_NAME_oneline | Access beyond the bounds of the allocated memory is possible, the size argument used is greater than the size of the buffer. |

View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql

View File

@@ -0,0 +1,31 @@
struct X509_NAME {};
struct SSL {};
struct X509 {};
char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
X509 *SSL_get_peer_certificate(const SSL *ssl);
X509_NAME *X509_get_subject_name(const X509 *x);
char *strcasestr(char *a, char *b);
bool goodTest1(SSL *ssl,char *text)
{
X509 *peer;
char buf[256];
if( peer = SSL_get_peer_certificate(ssl))
{
X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof(buf)); // GOOD
if((char*)strcasestr(buf,text)) return true;
}
return false;
}
bool badTest1(SSL *ssl,char *text)
{
X509 *peer;
char buf[256];
if( peer = SSL_get_peer_certificate(ssl))
{
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD
if((char*)strcasestr(buf,text)) return true;
}
return false;
}

View File

@@ -145,6 +145,14 @@ namespace Semmle.Autobuild.CSharp.Tests
bool IBuildActions.IsWindows() => IsWindows;
public bool IsMacOs { get; set; }
bool IBuildActions.IsMacOs() => IsMacOs;
public bool IsArm { get; set; }
bool IBuildActions.IsArm() => IsArm;
public string PathCombine(params string[] parts)
{
return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));

View File

@@ -7,6 +7,7 @@ using System.Xml;
using System.Net.Http;
using System.Diagnostics.CodeAnalysis;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
namespace Semmle.Autobuild.Shared
{
@@ -98,6 +99,18 @@ namespace Semmle.Autobuild.Shared
/// </summary>
bool IsWindows();
/// <summary>
/// Gets a value indicating whether we are running on macOS.
/// </summary>
/// <returns>True if we are running on macOS.</returns>
bool IsMacOs();
/// <summary>
/// Gets a value indicating whether we are running on arm.
/// </summary>
/// <returns>True if we are running on arm.</returns>
bool IsArm();
/// <summary>
/// Combine path segments, Path.Combine().
/// </summary>
@@ -203,6 +216,12 @@ namespace Semmle.Autobuild.Shared
bool IBuildActions.IsWindows() => Win32.IsWindows();
bool IBuildActions.IsMacOs() => RuntimeInformation.IsOSPlatform(OSPlatform.OSX);
bool IBuildActions.IsArm() =>
RuntimeInformation.ProcessArchitecture == Architecture.Arm64 ||
RuntimeInformation.ProcessArchitecture == Architecture.Arm;
string IBuildActions.PathCombine(params string[] parts) => Path.Combine(parts);
void IBuildActions.WriteAllText(string filename, string contents) => File.WriteAllText(filename, contents);

View File

@@ -1,18 +1,36 @@
using Semmle.Util.Logging;
using System;
using System.Linq;
using System.Runtime.InteropServices;
namespace Semmle.Autobuild.Shared
{
internal static class MsBuildCommandExtensions
{
/// <summary>
/// Appends a call to msbuild.
/// </summary>
/// <param name="cmdBuilder"></param>
/// <param name="builder"></param>
/// <returns></returns>
public static CommandBuilder MsBuildCommand(this CommandBuilder cmdBuilder, IAutobuilder<AutobuildOptionsShared> builder)
{
var isArmMac = builder.Actions.IsMacOs() && builder.Actions.IsArm();
// mono doesn't ship with `msbuild` on Arm-based Macs, but we can fall back to
// msbuild that ships with `dotnet` which can be invoked with `dotnet msbuild`
// perhaps we should do this on all platforms?
return isArmMac ?
cmdBuilder.RunCommand("dotnet").Argument("msbuild") :
cmdBuilder.RunCommand("msbuild");
}
}
/// <summary>
/// A build rule using msbuild.
/// </summary>
public class MsBuildRule : IBuildRule<AutobuildOptionsShared>
{
/// <summary>
/// The name of the msbuild command.
/// </summary>
private const string msBuild = "msbuild";
public BuildScript Analyse(IAutobuilder<AutobuildOptionsShared> builder, bool auto)
{
if (!builder.ProjectsOrSolutionsToBuild.Any())
@@ -57,7 +75,7 @@ namespace Semmle.Autobuild.Shared
Script;
var nugetRestore = GetNugetRestoreScript();
var msbuildRestoreCommand = new CommandBuilder(builder.Actions).
RunCommand(msBuild).
MsBuildCommand(builder).
Argument("/t:restore").
QuoteArgument(projectOrSolution.FullPath);
@@ -95,7 +113,7 @@ namespace Semmle.Autobuild.Shared
command.RunCommand("set Platform=&& type NUL", quoteExe: false);
}
command.RunCommand(msBuild);
command.MsBuildCommand(builder);
command.QuoteArgument(projectOrSolution.FullPath);
var target = builder.Options.MsBuildTarget ?? "rebuild";

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,3 @@
description: Remove a relation for scoped annotations.
compatibility: backwards
scoped_annotation.rel: delete

View File

@@ -106,36 +106,6 @@ namespace Semmle.BuildAnalyser
return result;
}
// Attempt to load the reference from the GAC.
try
{
var loadedAssembly = System.Reflection.Assembly.ReflectionOnlyLoad(id);
if (loadedAssembly is not null)
{
// The assembly was somewhere we haven't indexed before.
// Add this assembly to our index so that subsequent lookups are faster.
result = AssemblyInfo.MakeFromAssembly(loadedAssembly);
assemblyInfoById[id] = result;
assemblyInfoByFileName[loadedAssembly.Location] = result;
return result;
}
}
catch (FileNotFoundException)
{
// A suitable assembly could not be found
}
catch (FileLoadException)
{
// The assembly cannot be loaded for some reason
// e.g. The name is malformed.
}
catch (PlatformNotSupportedException)
{
// .NET Core does not have a GAC.
}
// Fallback position - locate the assembly by its lower-case name only.
var asmName = assemblyName.ToLowerInvariant();

View File

@@ -59,6 +59,19 @@ namespace Semmle.Extraction.CSharp.Entities
}
}
protected void PopulateScopedKind(TextWriter trapFile, ScopedKind kind)
{
switch (kind)
{
case ScopedKind.ScopedRef:
trapFile.scoped_annotation(this, Kinds.ScopedAnnotation.ScopedRef);
break;
case ScopedKind.ScopedValue:
trapFile.scoped_annotation(this, Kinds.ScopedAnnotation.ScopedValue);
break;
}
}
protected void ExtractCompilerGenerated(TextWriter trapFile)
{
if (Symbol.IsImplicitlyDeclared)

View File

@@ -33,7 +33,8 @@ namespace Semmle.Extraction.CSharp.Entities
PopulateRefKind(trapFile, Symbol.RefKind);
var unboundFieldKey = Field.Create(Context, Symbol.OriginalDefinition);
trapFile.fields(this, (Symbol.IsConst ? 2 : 1), Symbol.Name, ContainingType, Type.TypeRef, unboundFieldKey);
var kind = Symbol.IsConst ? VariableKind.Const : VariableKind.None;
trapFile.fields(this, kind, Symbol.Name, ContainingType, Type.TypeRef, unboundFieldKey);
PopulateModifiers(trapFile);

View File

@@ -23,17 +23,23 @@ namespace Semmle.Extraction.CSharp.Entities
public void PopulateManual(Expression parent, bool isVar)
{
var trapFile = Context.TrapWriter.Writer;
var (kind, type) = Symbol is ILocalSymbol l
? (l.IsRef ? 3 : l.IsConst ? 2 : 1, l.GetAnnotatedType())
: (1, parent.Type);
trapFile.localvars(this, kind, Symbol.Name, isVar ? 1 : 0, Type.Create(Context, type).TypeRef, parent);
var @var = isVar ? 1 : 0;
if (Symbol is ILocalSymbol local)
{
var kind = local.IsRef ? Kinds.VariableKind.Ref : local.IsConst ? Kinds.VariableKind.Const : Kinds.VariableKind.None;
var type = local.GetAnnotatedType();
trapFile.localvars(this, kind, Symbol.Name, @var, Type.Create(Context, type).TypeRef, parent);
PopulateNullability(trapFile, local.GetAnnotatedType());
PopulateScopedKind(trapFile, local.ScopedKind);
if (local.IsRef)
trapFile.type_annotation(this, Kinds.TypeAnnotation.Ref);
}
else
{
trapFile.localvars(this, Kinds.VariableKind.None, Symbol.Name, @var, Type.Create(Context, parent.Type).TypeRef, parent);
}
trapFile.localvar_location(this, Location);

View File

@@ -65,6 +65,15 @@ namespace Semmle.Extraction.CSharp.Entities
trapFile.has_modifiers(target, Modifier.Create(cx, modifier));
}
private static void ExtractFieldModifiers(Context cx, TextWriter trapFile, IEntity key, IFieldSymbol symbol)
{
if (symbol.IsReadOnly)
HasModifier(cx, trapFile, key, Modifiers.Readonly);
if (symbol.IsRequired)
HasModifier(cx, trapFile, key, Modifiers.Required);
}
private static void ExtractNamedTypeModifiers(Context cx, TextWriter trapFile, IEntity key, ISymbol symbol)
{
if (symbol.Kind != SymbolKind.NamedType)
@@ -106,8 +115,11 @@ namespace Semmle.Extraction.CSharp.Entities
if (symbol.IsVirtual)
HasModifier(cx, trapFile, key, Modifiers.Virtual);
if (symbol.Kind == SymbolKind.Field && ((IFieldSymbol)symbol).IsReadOnly)
HasModifier(cx, trapFile, key, Modifiers.Readonly);
if (symbol is IFieldSymbol field)
ExtractFieldModifiers(cx, trapFile, key, field);
if (symbol.Kind == SymbolKind.Property && ((IPropertySymbol)symbol).IsRequired)
HasModifier(cx, trapFile, key, Modifiers.Required);
if (symbol.IsOverride)
HasModifier(cx, trapFile, key, Modifiers.Override);

View File

@@ -13,6 +13,7 @@ internal static class Modifiers
public const string Public = "public";
public const string Readonly = "readonly";
public const string Record = "record";
public const string Required = "required";
public const string Ref = "ref";
public const string Sealed = "sealed";
public const string Static = "static";

View File

@@ -100,6 +100,7 @@ namespace Semmle.Extraction.CSharp.Entities
PopulateAttributes();
PopulateNullability(trapFile, Symbol.GetAnnotatedType());
PopulateRefKind(trapFile, Symbol.RefKind);
PopulateScopedKind(trapFile, Symbol.ScopedKind);
if (Symbol.Name != Original.Symbol.Name)
Context.ModelError(Symbol, "Inconsistent parameter declaration");

View File

@@ -0,0 +1,8 @@
namespace Semmle.Extraction.Kinds;
public enum ScopedAnnotation
{
None = 0,
ScopedRef = 1,
ScopedValue = 2
}

View File

@@ -0,0 +1,8 @@
namespace Semmle.Extraction.Kinds;
public enum VariableKind
{
None = 1,
Const = 2,
Ref = 3
}

View File

@@ -191,8 +191,8 @@ namespace Semmle.Extraction.CSharp
internal static void field_location(this TextWriter trapFile, Field field, Location location) =>
trapFile.WriteTuple("field_location", field, location);
internal static void fields(this TextWriter trapFile, Field field, int @const, string name, Type declaringType, Type fieldType, Field unboundKey) =>
trapFile.WriteTuple("fields", field, @const, name, declaringType, fieldType, unboundKey);
internal static void fields(this TextWriter trapFile, Field field, VariableKind kind, string name, Type declaringType, Type fieldType, Field unboundKey) =>
trapFile.WriteTuple("fields", field, (int)kind, name, declaringType, fieldType, unboundKey);
internal static void general_type_parameter_constraints(this TextWriter trapFile, TypeParameterConstraints constraints, int hasKind) =>
trapFile.WriteTuple("general_type_parameter_constraints", constraints, hasKind);
@@ -227,8 +227,8 @@ namespace Semmle.Extraction.CSharp
internal static void localvar_location(this TextWriter trapFile, LocalVariable var, Location location) =>
trapFile.WriteTuple("localvar_location", var, location);
internal static void localvars(this TextWriter trapFile, LocalVariable key, int @const, string name, int @var, Type type, Expression expr) =>
trapFile.WriteTuple("localvars", key, @const, name, @var, type, expr);
internal static void localvars(this TextWriter trapFile, LocalVariable key, VariableKind kind, string name, int @var, Type type, Expression expr) =>
trapFile.WriteTuple("localvars", key, (int)kind, name, @var, type, expr);
public static void metadata_handle(this TextWriter trapFile, IEntity entity, Location assembly, int handleValue) =>
trapFile.WriteTuple("metadata_handle", entity, assembly, handleValue);
@@ -462,5 +462,8 @@ namespace Semmle.Extraction.CSharp
internal static void file_extraction_mode(this System.IO.TextWriter trapFile, Entities.File file, ExtractorMode mode) =>
trapFile.WriteTuple("file_extraction_mode", file, mode);
internal static void scoped_annotation(this TextWriter trapFile, IEntity element, ScopedAnnotation @scoped) =>
trapFile.WriteTuple("scoped_annotation", element, (int)@scoped);
}
}

View File

@@ -223,7 +223,7 @@ namespace Semmle.Extraction
{
FileUtils.MoveOrReplace(tmpSrcFile, dest);
}
catch (IOException ex)
catch (Exception ex)
{
// If this happened, it was probably because the same file was compiled multiple times.
// In any case, this is not a fatal error.

View File

@@ -1,3 +1,7 @@
## 1.4.3
No user-facing changes.
## 1.4.2
No user-facing changes.

View File

@@ -0,0 +1,3 @@
## 1.4.3
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.2
lastReleaseVersion: 1.4.3

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.4.2
version: 1.4.4-dev
groups:
- csharp
- solorigate

View File

@@ -1,3 +1,7 @@
## 1.4.3
No user-facing changes.
## 1.4.2
No user-facing changes.

View File

@@ -0,0 +1,3 @@
## 1.4.3
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.2
lastReleaseVersion: 1.4.3

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.4.2
version: 1.4.4-dev
groups:
- csharp
- solorigate

View File

@@ -1,8 +1,9 @@
import os
from create_database_utils import *
run_codeql_database_create(['dotnet publish'], test_db="default-db", db=None, lang="csharp")
artifacts = 'bin/Temp'
run_codeql_database_create([f"dotnet publish -o {artifacts}"], test_db="default-db", db=None, lang="csharp")
## Check that the publish folder is created.
if not os.path.isdir("bin/Debug/net7.0/publish/"):
if not os.path.isdir(artifacts):
raise Exception("The publish artifact folder was not created.")

View File

@@ -0,0 +1,13 @@
using System;
namespace Test
{
public class Program
{
public static int Main(string[] args)
{
Console.WriteLine("Hello world!");
return 0;
}
}
}

View File

@@ -0,0 +1,7 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net4.0</TargetFramework>
</PropertyGroup>
</Project>

View File

@@ -0,0 +1,4 @@
from create_database_utils import *
# force CodeQL to use MSBuild by setting `LGTM_INDEX_MSBUILD_TARGET`
run_codeql_database_create([], test_db="default-db", db=None, lang="csharp", extra_env={ 'LGTM_INDEX_MSBUILD_TARGET': 'Build' })

View File

@@ -1,3 +1,9 @@
## 0.5.3
### Minor Analysis Improvements
* C# 11: Added extractor support for the `scoped` modifier annotation on parameters and local variables.
## 0.5.2
### Major Analysis Improvements

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* C# 11: Added library support for `checked` operators.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* C# 11: Added extractor support for `required` fields and properties.

View File

@@ -0,0 +1,5 @@
## 0.5.3
### Minor Analysis Improvements
* C# 11: Added extractor support for the `scoped` modifier annotation on parameters and local variables.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.2
lastReleaseVersion: 0.5.3

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.5.2
version: 0.5.4-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

View File

@@ -435,8 +435,12 @@ class Destructor extends DotNet::Destructor, Callable, Member, Attributable, @de
* (`BinaryOperator`), or a conversion operator (`ConversionOperator`).
*/
class Operator extends Callable, Member, Attributable, @operator {
/** Gets the assembly name of this operator. */
string getAssemblyName() { operators(this, result, _, _, _, _) }
/**
* DEPRECATED: use `getFunctionName()` instead.
*
* Gets the assembly name of this operator.
*/
deprecated string getAssemblyName() { result = this.getFunctionName() }
override string getName() { operators(this, _, result, _, _, _) }
@@ -445,7 +449,7 @@ class Operator extends Callable, Member, Attributable, @operator {
/**
* Gets the metadata name of the operator, such as `op_implicit` or `op_RightShift`.
*/
string getFunctionName() { none() }
string getFunctionName() { operators(this, result, _, _, _, _) }
override ValueOrRefType getDeclaringType() { operators(this, _, _, result, _, _) }
@@ -481,10 +485,11 @@ class RecordCloneMethod extends Method, DotNet::RecordCloneCallable {
* A user-defined unary operator - an operator taking one operand.
*
* Either a plus operator (`PlusOperator`), minus operator (`MinusOperator`),
* not operator (`NotOperator`), complement operator (`ComplementOperator`),
* true operator (`TrueOperator`), false operator (`FalseOperator`),
* increment operator (`IncrementOperator`), or decrement operator
* (`DecrementOperator`).
* checked minus operator (`CheckedMinusOperator`), not operator (`NotOperator`),
* complement operator (`ComplementOperator`), true operator (`TrueOperator`),
* false operator (`FalseOperator`), increment operator (`IncrementOperator`),
* checked increment operator (`CheckedIncrementOperator`), decrement operator
* (`DecrementOperator`) or checked decrement operator (`CheckedDecrementOperator`).
*/
class UnaryOperator extends Operator {
UnaryOperator() {
@@ -505,8 +510,6 @@ class UnaryOperator extends Operator {
class PlusOperator extends UnaryOperator {
PlusOperator() { this.getName() = "+" }
override string getFunctionName() { result = "op_UnaryPlus" }
override string getAPrimaryQlClass() { result = "PlusOperator" }
}
@@ -522,11 +525,24 @@ class PlusOperator extends UnaryOperator {
class MinusOperator extends UnaryOperator {
MinusOperator() { this.getName() = "-" }
override string getFunctionName() { result = "op_UnaryNegation" }
override string getAPrimaryQlClass() { result = "MinusOperator" }
}
/**
* A user-defined checked minus operator (`-`), for example
*
* ```csharp
* public static Widget operator checked -(Widget w) {
* ...
* }
* ```
*/
class CheckedMinusOperator extends UnaryOperator {
CheckedMinusOperator() { this.getName() = "checked -" }
override string getAPrimaryQlClass() { result = "CheckedMinusOperator" }
}
/**
* A user-defined not operator (`!`), for example
*
@@ -539,8 +555,6 @@ class MinusOperator extends UnaryOperator {
class NotOperator extends UnaryOperator {
NotOperator() { this.getName() = "!" }
override string getFunctionName() { result = "op_LogicalNot" }
override string getAPrimaryQlClass() { result = "NotOperator" }
}
@@ -556,8 +570,6 @@ class NotOperator extends UnaryOperator {
class ComplementOperator extends UnaryOperator {
ComplementOperator() { this.getName() = "~" }
override string getFunctionName() { result = "op_OnesComplement" }
override string getAPrimaryQlClass() { result = "ComplementOperator" }
}
@@ -573,11 +585,24 @@ class ComplementOperator extends UnaryOperator {
class IncrementOperator extends UnaryOperator {
IncrementOperator() { this.getName() = "++" }
override string getFunctionName() { result = "op_Increment" }
override string getAPrimaryQlClass() { result = "IncrementOperator" }
}
/**
* A user-defined checked increment operator (`++`), for example
*
* ```csharp
* public static Widget operator checked ++(Widget w) {
* ...
* }
* ```
*/
class CheckedIncrementOperator extends UnaryOperator {
CheckedIncrementOperator() { this.getName() = "checked ++" }
override string getAPrimaryQlClass() { result = "CheckedIncrementOperator" }
}
/**
* A user-defined decrement operator (`--`), for example
*
@@ -590,11 +615,24 @@ class IncrementOperator extends UnaryOperator {
class DecrementOperator extends UnaryOperator {
DecrementOperator() { this.getName() = "--" }
override string getFunctionName() { result = "op_Decrement" }
override string getAPrimaryQlClass() { result = "DecrementOperator" }
}
/**
* A user-defined checked decrement operator (`--`), for example
*
* ```csharp
* public static Widget operator checked --(Widget w) {
* ...
* }
* ```
*/
class CheckedDecrementOperator extends UnaryOperator {
CheckedDecrementOperator() { this.getName() = "checked --" }
override string getAPrimaryQlClass() { result = "CheckedDecrementOperator" }
}
/**
* A user-defined false operator (`false`), for example
*
@@ -607,8 +645,6 @@ class DecrementOperator extends UnaryOperator {
class FalseOperator extends UnaryOperator {
FalseOperator() { this.getName() = "false" }
override string getFunctionName() { result = "op_False" }
override string getAPrimaryQlClass() { result = "FalseOperator" }
}
@@ -624,17 +660,18 @@ class FalseOperator extends UnaryOperator {
class TrueOperator extends UnaryOperator {
TrueOperator() { this.getName() = "true" }
override string getFunctionName() { result = "op_True" }
override string getAPrimaryQlClass() { result = "TrueOperator" }
}
/**
* A user-defined binary operator.
*
* Either an addition operator (`AddOperator`), a subtraction operator
* (`SubOperator`), a multiplication operator (`MulOperator`), a division
* operator (`DivOperator`), a remainder operator (`RemOperator`), an and
* Either an addition operator (`AddOperator`), a checked addition operator
* (`CheckedAddOperator`) a subtraction operator (`SubOperator`), a checked
* substraction operator (`CheckedSubOperator`), a multiplication operator
* (`MulOperator`), a checked multiplication operator (`CheckedMulOperator`),
* a division operator (`DivOperator`), a checked division operator
* (`CheckedDivOperator`), a remainder operator (`RemOperator`), an and
* operator (`AndOperator`), an or operator (`OrOperator`), an xor
* operator (`XorOperator`), a left shift operator (`LeftShiftOperator`),
* a right shift operator (`RightShiftOperator`), an unsigned right shift
@@ -659,11 +696,24 @@ class BinaryOperator extends Operator {
class AddOperator extends BinaryOperator {
AddOperator() { this.getName() = "+" }
override string getFunctionName() { result = "op_Addition" }
override string getAPrimaryQlClass() { result = "AddOperator" }
}
/**
* A user-defined checked addition operator (`+`), for example
*
* ```csharp
* public static Widget operator checked +(Widget lhs, Widget rhs) {
* ...
* }
* ```
*/
class CheckedAddOperator extends BinaryOperator {
CheckedAddOperator() { this.getName() = "checked +" }
override string getAPrimaryQlClass() { result = "CheckedAddOperator" }
}
/**
* A user-defined subtraction operator (`-`), for example
*
@@ -676,11 +726,24 @@ class AddOperator extends BinaryOperator {
class SubOperator extends BinaryOperator {
SubOperator() { this.getName() = "-" }
override string getFunctionName() { result = "op_Subtraction" }
override string getAPrimaryQlClass() { result = "SubOperator" }
}
/**
* A user-defined checked subtraction operator (`-`), for example
*
* ```csharp
* public static Widget operator checked -(Widget lhs, Widget rhs) {
* ...
* }
* ```
*/
class CheckedSubOperator extends BinaryOperator {
CheckedSubOperator() { this.getName() = "checked -" }
override string getAPrimaryQlClass() { result = "CheckedSubOperator" }
}
/**
* A user-defined multiplication operator (`*`), for example
*
@@ -693,11 +756,24 @@ class SubOperator extends BinaryOperator {
class MulOperator extends BinaryOperator {
MulOperator() { this.getName() = "*" }
override string getFunctionName() { result = "op_Multiply" }
override string getAPrimaryQlClass() { result = "MulOperator" }
}
/**
* A user-defined checked multiplication operator (`*`), for example
*
* ```csharp
* public static Widget operator checked *(Widget lhs, Widget rhs) {
* ...
* }
* ```
*/
class CheckedMulOperator extends BinaryOperator {
CheckedMulOperator() { this.getName() = "checked *" }
override string getAPrimaryQlClass() { result = "CheckedMulOperator" }
}
/**
* A user-defined division operator (`/`), for example
*
@@ -710,11 +786,24 @@ class MulOperator extends BinaryOperator {
class DivOperator extends BinaryOperator {
DivOperator() { this.getName() = "/" }
override string getFunctionName() { result = "op_Division" }
override string getAPrimaryQlClass() { result = "DivOperator" }
}
/**
* A user-defined checked division operator (`/`), for example
*
* ```csharp
* public static Widget operator checked /(Widget lhs, Widget rhs) {
* ...
* }
* ```
*/
class CheckedDivOperator extends BinaryOperator {
CheckedDivOperator() { this.getName() = "checked /" }
override string getAPrimaryQlClass() { result = "CheckedDivOperator" }
}
/**
* A user-defined remainder operator (`%`), for example
*
@@ -727,8 +816,6 @@ class DivOperator extends BinaryOperator {
class RemOperator extends BinaryOperator {
RemOperator() { this.getName() = "%" }
override string getFunctionName() { result = "op_Modulus" }
override string getAPrimaryQlClass() { result = "RemOperator" }
}
@@ -744,8 +831,6 @@ class RemOperator extends BinaryOperator {
class AndOperator extends BinaryOperator {
AndOperator() { this.getName() = "&" }
override string getFunctionName() { result = "op_BitwiseAnd" }
override string getAPrimaryQlClass() { result = "AndOperator" }
}
@@ -761,8 +846,6 @@ class AndOperator extends BinaryOperator {
class OrOperator extends BinaryOperator {
OrOperator() { this.getName() = "|" }
override string getFunctionName() { result = "op_BitwiseOr" }
override string getAPrimaryQlClass() { result = "OrOperator" }
}
@@ -778,8 +861,6 @@ class OrOperator extends BinaryOperator {
class XorOperator extends BinaryOperator {
XorOperator() { this.getName() = "^" }
override string getFunctionName() { result = "op_ExclusiveOr" }
override string getAPrimaryQlClass() { result = "XorOperator" }
}
@@ -795,8 +876,6 @@ class XorOperator extends BinaryOperator {
class LeftShiftOperator extends BinaryOperator {
LeftShiftOperator() { this.getName() = "<<" }
override string getFunctionName() { result = "op_LeftShift" }
override string getAPrimaryQlClass() { result = "LeftShiftOperator" }
}
@@ -815,8 +894,6 @@ deprecated class LShiftOperator = LeftShiftOperator;
class RightShiftOperator extends BinaryOperator {
RightShiftOperator() { this.getName() = ">>" }
override string getFunctionName() { result = "op_RightShift" }
override string getAPrimaryQlClass() { result = "RightShiftOperator" }
}
@@ -835,8 +912,6 @@ deprecated class RShiftOperator = RightShiftOperator;
class UnsignedRightShiftOperator extends BinaryOperator {
UnsignedRightShiftOperator() { this.getName() = ">>>" }
override string getFunctionName() { result = "op_UnsignedRightShift" }
override string getAPrimaryQlClass() { result = "UnsignedRightShiftOperator" }
}
@@ -852,8 +927,6 @@ class UnsignedRightShiftOperator extends BinaryOperator {
class EQOperator extends BinaryOperator {
EQOperator() { this.getName() = "==" }
override string getFunctionName() { result = "op_Equality" }
override string getAPrimaryQlClass() { result = "EQOperator" }
}
@@ -869,8 +942,6 @@ class EQOperator extends BinaryOperator {
class NEOperator extends BinaryOperator {
NEOperator() { this.getName() = "!=" }
override string getFunctionName() { result = "op_Inequality" }
override string getAPrimaryQlClass() { result = "NEOperator" }
}
@@ -886,8 +957,6 @@ class NEOperator extends BinaryOperator {
class LTOperator extends BinaryOperator {
LTOperator() { this.getName() = "<" }
override string getFunctionName() { result = "op_LessThan" }
override string getAPrimaryQlClass() { result = "LTOperator" }
}
@@ -903,8 +972,6 @@ class LTOperator extends BinaryOperator {
class GTOperator extends BinaryOperator {
GTOperator() { this.getName() = ">" }
override string getFunctionName() { result = "op_GreaterThan" }
override string getAPrimaryQlClass() { result = "GTOperator" }
}
@@ -920,8 +987,6 @@ class GTOperator extends BinaryOperator {
class LEOperator extends BinaryOperator {
LEOperator() { this.getName() = "<=" }
override string getFunctionName() { result = "op_LessThanOrEqual" }
override string getAPrimaryQlClass() { result = "LEOperator" }
}
@@ -937,8 +1002,6 @@ class LEOperator extends BinaryOperator {
class GEOperator extends BinaryOperator {
GEOperator() { this.getName() = ">=" }
override string getFunctionName() { result = "op_GreaterThanOrEqual" }
override string getAPrimaryQlClass() { result = "GEOperator" }
}
@@ -954,7 +1017,8 @@ class GEOperator extends BinaryOperator {
class ConversionOperator extends Operator {
ConversionOperator() {
this.getName() = "implicit conversion" or
this.getName() = "explicit conversion"
this.getName() = "explicit conversion" or
this.getName() = "checked explicit conversion"
}
/** Gets the source type of the conversion. */
@@ -976,8 +1040,6 @@ class ConversionOperator extends Operator {
class ImplicitConversionOperator extends ConversionOperator {
ImplicitConversionOperator() { this.getName() = "implicit conversion" }
override string getFunctionName() { result = "op_Implicit" }
override string getAPrimaryQlClass() { result = "ImplicitConversionOperator" }
}
@@ -993,11 +1055,24 @@ class ImplicitConversionOperator extends ConversionOperator {
class ExplicitConversionOperator extends ConversionOperator {
ExplicitConversionOperator() { this.getName() = "explicit conversion" }
override string getFunctionName() { result = "op_Explicit" }
override string getAPrimaryQlClass() { result = "ExplicitConversionOperator" }
}
/**
* A user-defined checked explicit conversion operator, for example
*
* ```csharp
* public static explicit operator checked int(BigInteger i) {
* ...
* }
* ```
*/
class CheckedExplicitConversionOperator extends ConversionOperator {
CheckedExplicitConversionOperator() { this.getName() = "checked explicit conversion" }
override string getAPrimaryQlClass() { result = "CheckedExplicitConversionOperator" }
}
/**
* A local function, defined within the scope of another callable.
* For example, `Fac` on lines 2--4 in

View File

@@ -90,6 +90,9 @@ class Modifiable extends Declaration, @modifiable {
/** Holds if this declaration is `const`. */
predicate isConst() { this.hasModifier("const") }
/** Holds if this declaration has the modifier `required`. */
predicate isRequired() { this.hasModifier("required") }
/** Holds if this declaration is `unsafe`. */
predicate isUnsafe() {
this.hasModifier("unsafe") or
@@ -178,6 +181,8 @@ class Member extends DotNet::Member, Modifiable, @member {
override predicate isAbstract() { Modifiable.super.isAbstract() }
override predicate isStatic() { Modifiable.super.isStatic() }
override predicate isRequired() { Modifiable.super.isRequired() }
}
private class TOverridable = @virtualizable or @callable_accessor;

View File

@@ -71,6 +71,11 @@ class LocalScopeVariable extends Variable, @local_scope_variable {
*/
predicate isRef() { none() }
/**
* Holds if this local variable or parameter is `scoped`.
*/
predicate isScoped() { scoped_annotation(this, _) }
override predicate hasQualifiedName(string qualifier, string name) { none() }
}

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -707,8 +707,8 @@ private module Cached {
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference.
*/
pragma[nomagic]
private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
cached
DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
result = viableCallable(call)
or
@@ -1391,6 +1391,9 @@ class TypedContentApprox extends MkTypedContentApprox {
/** Gets a typed content approximated by this value. */
TypedContent getATypedContent() { result = getATypedContent(this) }
/** Gets the content. */
ContentApprox getContent() { result = c }
/** Gets the container type. */
DataFlowType getContainerType() { result = t }
@@ -1408,6 +1411,8 @@ abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
abstract boolean toBoolNonEmpty();
TypedContentApprox getHead() { this = TApproxFrontHead(result) }
pragma[nomagic]
TypedContent getAHead() {
exists(TypedContentApprox cont |

View File

@@ -667,23 +667,78 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(NodeEx arg |
fwdFlow(arg, _, config) and
viableParamArgEx(_, node, arg) and
cc = true and
not fullBarrier(node, config)
)
fwdFlowIn(_, _, _, node, config) and
cc = true
or
// flow out of a callable
fwdFlowOut(_, node, false, config) and
cc = false
or
// flow through a callable
exists(DataFlowCall call |
fwdFlowOut(call, node, false, config) and
cc = false
or
fwdFlowOutFromArg(call, node, config) and
fwdFlowIsEntered(call, cc, config)
)
}
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowIn(
DataFlowCall call, NodeEx arg, Cc cc, ParamNodeEx p, Configuration config
) {
// call context cannot help reduce virtual dispatch
fwdFlow(arg, cc, config) and
viableParamArgEx(call, p, arg) and
not fullBarrier(p, config) and
(
cc = false
or
cc = true and
not reducedViableImplInCallContext(call, _, _)
)
or
// call context may help reduce virtual dispatch
exists(DataFlowCallable target |
fwdFlowInReducedViableImplInSomeCallContext(call, arg, p, target, config) and
target = viableImplInSomeFwdFlowCallContextExt(call, config) and
cc = true
)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
fwdFlowIn(call, _, cc, _, config)
}
pragma[nomagic]
private predicate fwdFlowInReducedViableImplInSomeCallContext(
DataFlowCall call, NodeEx arg, ParamNodeEx p, DataFlowCallable target, Configuration config
) {
fwdFlow(arg, true, config) and
viableParamArgEx(call, p, arg) and
reducedViableImplInCallContext(call, _, _) and
target = p.getEnclosingCallable() and
not fullBarrier(p, config)
}
/**
* Gets a viable dispatch target of `call` in the context `ctx`. This is
* restricted to those `call`s for which a context might make a difference,
* and to `ctx`s that are reachable in `fwdFlow`.
*/
pragma[nomagic]
private DataFlowCallable viableImplInSomeFwdFlowCallContextExt(
DataFlowCall call, Configuration config
) {
exists(DataFlowCall ctx |
fwdFlowIsEntered(ctx, _, config) and
result = viableImplInCallContextExt(call, ctx)
)
}
private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }
pragma[nomagic]
@@ -726,7 +781,8 @@ private module Stage1 implements StageSig {
)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
exists(ReturnPosition pos |
fwdFlowReturnPosition(pos, cc, config) and
@@ -740,17 +796,6 @@ private module Stage1 implements StageSig {
fwdFlowOut(call, out, true, config)
}
/**
* Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
*/
pragma[nomagic]
private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
exists(ArgNodeEx arg |
fwdFlow(arg, cc, config) and
viableParamArgEx(call, _, arg)
)
}
private predicate stateStepFwd(FlowState state1, FlowState state2, Configuration config) {
exists(NodeEx node1 |
additionalLocalStateStep(node1, state1, _, state2, config) or
@@ -817,13 +862,8 @@ private module Stage1 implements StageSig {
)
or
// flow into a callable
exists(DataFlowCall call |
revFlowIn(call, node, false, config) and
toReturn = false
or
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
revFlowIn(_, node, false, config) and
toReturn = false
or
// flow out of a callable
exists(ReturnPosition pos |
@@ -831,6 +871,12 @@ private module Stage1 implements StageSig {
node.(RetNodeEx).getReturnPosition() = pos and
toReturn = true
)
or
// flow through a callable
exists(DataFlowCall call |
revFlowInToReturn(call, node, config) and
revFlowIsReturned(call, toReturn, config)
)
}
/**
@@ -886,11 +932,11 @@ private module Stage1 implements StageSig {
additional predicate viableParamArgNodeCandFwd1(
DataFlowCall call, ParamNodeEx p, ArgNodeEx arg, Configuration config
) {
viableParamArgEx(call, p, arg) and
fwdFlow(arg, config)
fwdFlowIn(call, arg, _, p, config)
}
pragma[nomagic]
// inline to reduce the number of iterations
pragma[inline]
private predicate revFlowIn(
DataFlowCall call, ArgNodeEx arg, boolean toReturn, Configuration config
) {
@@ -1223,7 +1269,16 @@ private module MkStage<StageSig PrevStage> {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail);
Content getHeadContent(Ap ap);
/**
* An approximation of `Content` that corresponds to the precision level of
* `Ap`, such that the mappings from both `Ap` and `Content` to this type
* are functional.
*/
class ApHeadContent;
ApHeadContent getHeadContent(Ap ap);
ApHeadContent projectToHeadContent(Content c);
class ApOption;
@@ -1471,34 +1526,32 @@ private module MkStage<StageSig PrevStage> {
)
}
private class ApNonNil instanceof Ap {
pragma[nomagic]
ApNonNil() { not this instanceof ApNil }
string toString() { result = "" }
}
pragma[nomagic]
private predicate fwdFlowRead0(
NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
Configuration config
private predicate readStepCand(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, _, _, config)
PrevStage::readStepCand(node1, c, node2, config) and
apc = projectToHeadContent(c)
}
bindingset[ap, c]
bindingset[node1, apc]
pragma[inline_late]
private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
private predicate readStepCand0(
NodeEx node1, ApHeadContent apc, Content c, NodeEx node2, Configuration config
) {
readStepCand(node1, apc, c, node2, config)
}
pragma[nomagic]
private predicate fwdFlowRead(
Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
ParamNodeOption summaryCtx, ApOption argAp, Configuration config
) {
fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
PrevStage::readStepCand(node1, c, node2, config) and
hasHeadContent(ap, c)
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2, config)
)
}
pragma[nomagic]
@@ -2072,8 +2125,12 @@ private module Stage2Param implements MkStage<Stage1>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
class ApHeadContent = Unit;
pragma[inline]
Content getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent getHeadContent(Ap ap) { exists(result) and ap = true }
ApHeadContent projectToHeadContent(Content c) { any() }
class ApOption = BooleanOption;
@@ -2337,8 +2394,12 @@ private module Stage3Param implements MkStage<Stage2>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getAHead() = tc and exists(tail) }
class ApHeadContent = ContentApprox;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getAHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
predicate projectToHeadContent = getContentApprox/1;
class ApOption = ApproxAccessPathFrontOption;
@@ -2413,8 +2474,12 @@ private module Stage4Param implements MkStage<Stage3>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathFrontOption;
@@ -2743,8 +2808,12 @@ private module Stage5Param implements MkStage<Stage4>::StageParam {
bindingset[tc, tail]
Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
class ApHeadContent = Content;
pragma[noinline]
Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent getHeadContent(Ap ap) { result = ap.getHead().getContent() }
ApHeadContent projectToHeadContent(Content c) { result = c }
class ApOption = AccessPathApproxOption;

View File

@@ -80,6 +80,9 @@ class Member extends Declaration, @dotnet_member {
/** Holds if this member is `static`. */
predicate isStatic() { none() }
/** Holds if this member is declared `required`. */
predicate isRequired() { none() }
/**
* Holds if this member has name `name` and is defined in type `type`
* with namespace `namespace`.

View File

@@ -878,6 +878,13 @@ param_location(
int id: @parameter ref,
int loc: @location ref);
@has_scoped_annotation = @local_scope_variable
scoped_annotation(
int id: @has_scoped_annotation ref,
int kind: int ref // scoped ref = 1, scoped value = 2
);
/** STATEMENTS **/
@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;

View File

@@ -26228,6 +26228,59 @@
</dep>
</dependencies>
</relation>
<relation>
<name>scoped_annotation</name>
<cardinality>43498</cardinality>
<columnsizes>
<e>
<k>id</k>
<v>43498</v>
</e>
<e>
<k>kind</k>
<v>18</v>
</e>
</columnsizes>
<dependencies>
<dep>
<src>id</src>
<trg>kind</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>43498</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>kind</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>11</a>
<b>12</b>
<v>9</v>
</b>
<b>
<a>4599</a>
<b>4600</b>
<v>9</v>
</b>
</bs>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>
<name>statements</name>
<cardinality>2458000</cardinality>

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,2 @@
description: Add a relation for scoped annotations.
compatibility: backwards

View File

@@ -1,3 +1,7 @@
## 0.5.3
No user-facing changes.
## 0.5.2
No user-facing changes.

View File

@@ -11,17 +11,19 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlow
private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
private import semmle.code.csharp.security.dataflow.flowsources.Remote
pragma[nomagic]
private predicate isTestNamespace(Namespace ns) {
ns.getFullName()
.matches([
"NUnit.Framework%", "Xunit%", "Microsoft.VisualStudio.TestTools.UnitTesting%", "Moq%"
])
}
/**
* A test library.
*/
class TestLibrary extends RefType {
TestLibrary() {
this.getNamespace()
.getFullName()
.matches([
"NUnit.Framework%", "Xunit%", "Microsoft.VisualStudio.TestTools.UnitTesting%", "Moq%"
])
}
TestLibrary() { isTestNamespace(this.getNamespace()) }
}
/** Holds if the given callable is not worth supporting. */
@@ -85,6 +87,7 @@ class ExternalApi extends DotNet::Callable {
}
/** Holds if this API has a supported summary. */
pragma[nomagic]
predicate hasSummary() {
this instanceof SummarizedCallable
or
@@ -92,11 +95,13 @@ class ExternalApi extends DotNet::Callable {
}
/** Holds if this API is a known source. */
pragma[nomagic]
predicate isSource() {
this.getAnOutput() instanceof RemoteFlowSource or sourceNode(this.getAnOutput(), _)
}
/** Holds if this API is a known sink. */
pragma[nomagic]
predicate isSink() { sinkNode(this.getAnInput(), _) }
/** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */

View File

@@ -0,0 +1,3 @@
## 0.5.3
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.2
lastReleaseVersion: 0.5.3

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.5.2
version: 0.5.4-dev
groups:
- csharp
- queries

Some files were not shown because too many files have changed in this diff Show More