Merge remote-tracking branch 'origin/main' into dbartol/rc3.13-mergeback

Author: Dave Bartolomeo

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -138,9 +138,9 @@ class GuardCondition extends Expr {
   cached
   predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) { none() }
 
-  /** Holds if (determined by this guard) `e == k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
+  /** Holds if (determined by this guard) `e == k` evaluates to `areEqual` if this expression evaluates to `value`. */
   cached
-  predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) { none() }
+  predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) { none() }
 
   /**
    * Holds if (determined by this guard) `e == k` must be `areEqual` in `block`.
@@ -196,17 +196,18 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
     )
   }
 
-  override predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) {
-    exists(boolean partIsTrue, GuardCondition part |
-      this.(BinaryLogicalOperation).impliesValue(part, partIsTrue, testIsTrue)
+  override predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) {
+    exists(BooleanValue partValue, GuardCondition part |
+      this.(BinaryLogicalOperation)
+          .impliesValue(part, partValue.getValue(), value.(BooleanValue).getValue())
     |
-      part.comparesEq(e, k, areEqual, partIsTrue)
+      part.comparesEq(e, k, areEqual, partValue)
     )
   }
 
   override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) {
-    exists(boolean testIsTrue |
-      this.comparesEq(e, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
+    exists(AbstractValue value |
+      this.comparesEq(e, k, areEqual, value) and this.valueControls(block, value)
     )
   }
 }
@@ -270,18 +271,18 @@ private class GuardConditionFromIR extends GuardCondition {
     )
   }
 
-  override predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) {
+  override predicate comparesEq(Expr e, int k, boolean areEqual, AbstractValue value) {
     exists(Instruction i |
       i.getUnconvertedResultExpression() = e and
-      ir.comparesEq(i.getAUse(), k, areEqual, testIsTrue)
+      ir.comparesEq(i.getAUse(), k, areEqual, value)
     )
   }
 
   override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) {
-    exists(Instruction i, boolean testIsTrue |
+    exists(Instruction i, AbstractValue value |
       i.getUnconvertedResultExpression() = e and
-      ir.comparesEq(i.getAUse(), k, areEqual, testIsTrue) and
-      this.controls(block, testIsTrue)
+      ir.comparesEq(i.getAUse(), k, areEqual, value) and
+      this.valueControls(block, value)
     )
   }
 
@@ -492,19 +493,10 @@ class IRGuardCondition extends Instruction {
     )
   }
 
-  /** Holds if (determined by this guard) `op == k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
+  /** Holds if (determined by this guard) `op == k` evaluates to `areEqual` if this expression evaluates to `value`. */
   cached
-  predicate comparesEq(Operand op, int k, boolean areEqual, boolean testIsTrue) {
-    exists(MatchValue mv |
-      compares_eq(this, op, k, areEqual, mv) and
-      // A match value cannot be dualized, so `testIsTrue` is always true
-      testIsTrue = true
-    )
-    or
-    exists(BooleanValue bv |
-      compares_eq(this, op, k, areEqual, bv) and
-      bv.getValue() = testIsTrue
-    )
+  predicate comparesEq(Operand op, int k, boolean areEqual, AbstractValue value) {
+    compares_eq(this, op, k, areEqual, value)
   }
 
   /**

cpp/ql/test/library-tests/controlflow/guards-ir/tests.ql

@@ -4,8 +4,8 @@ import semmle.code.cpp.controlflow.IRGuards
 query predicate astGuards(GuardCondition guard) { any() }
 
 query predicate astGuardsCompare(int startLine, string msg) {
-  exists(GuardCondition guard, Expr left, int k, string which, string op |
-    exists(boolean sense |
+  exists(GuardCondition guard, Expr left, int k, string op |
+    exists(boolean sense, string which |
       sense = true and which = "true"
       or
       sense = false and which = "false"
@@ -21,14 +21,16 @@ query predicate astGuardsCompare(int startLine, string msg) {
       |
         msg = left + op + right + "+" + k + " when " + guard + " is " + which
       )
+    )
+    or
+    exists(AbstractValue value |
+      guard.comparesEq(left, k, true, value) and op = " == "
       or
-      (
-        guard.comparesEq(left, k, true, sense) and op = " == "
-        or
-        guard.comparesEq(left, k, false, sense) and op = " != "
-      ) and
-      msg = left + op + k + " when " + guard + " is " + which
-    ) and
+      guard.comparesEq(left, k, false, value) and op = " != "
+    |
+      msg = left + op + k + " when " + guard + " is " + value
+    )
+  |
     startLine = guard.getLocation().getStartLine()
   )
 }
@@ -71,8 +73,8 @@ query predicate astGuardsEnsure_const(
 query predicate irGuards(IRGuardCondition guard) { any() }
 
 query predicate irGuardsCompare(int startLine, string msg) {
-  exists(IRGuardCondition guard, Operand left, int k, string which, string op |
-    exists(boolean sense |
+  exists(IRGuardCondition guard, Operand left, int k, string op |
+    exists(boolean sense, string which |
       sense = true and which = "true"
       or
       sense = false and which = "false"
@@ -91,16 +93,18 @@ query predicate irGuardsCompare(int startLine, string msg) {
             right.getAnyDef().getUnconvertedResultExpression() + "+" + k + " when " + guard + " is "
             + which
       )
+    )
+    or
+    exists(AbstractValue value |
+      guard.comparesEq(left, k, true, value) and op = " == "
       or
-      (
-        guard.comparesEq(left, k, true, sense) and op = " == "
-        or
-        guard.comparesEq(left, k, false, sense) and op = " != "
-      ) and
+      guard.comparesEq(left, k, false, value) and op = " != "
+    |
       msg =
         left.getAnyDef().getUnconvertedResultExpression() + op + k + " when " + guard + " is " +
-          which
-    ) and
+          value
+    )
+  |
     startLine = guard.getLocation().getStartLine()
   )
 }

cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected

@@ -55,9 +55,9 @@
 | 58 | y < 0+0 when ... < ... is true |
 | 58 | y >= 0+0 when ... < ... is false |
 | 58 | y >= 0+0 when ... \|\| ... is false |
-| 61 | i == 0 when i is true |
-| 61 | i == 1 when i is true |
-| 61 | i == 2 when i is true |
+| 61 | i == 0 when i is Case[0] |
+| 61 | i == 1 when i is Case[1] |
+| 61 | i == 2 when i is Case[2] |
 | 75 | 0 != x+0 when ... == ... is false |
 | 75 | 0 == x+0 when ... == ... is true |
 | 75 | x != 0 when ... == ... is false |

cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.ql

@@ -7,9 +7,9 @@
 import cpp
 import semmle.code.cpp.controlflow.Guards
 
-from GuardCondition guard, Expr left, int k, string which, string op, string msg
+from GuardCondition guard, Expr left, int k, string op, string msg
 where
-  exists(boolean sense |
+  exists(boolean sense, string which |
     sense = true and which = "true"
     or
     sense = false and which = "false"
@@ -25,12 +25,13 @@ where
     |
       msg = left + op + right + "+" + k + " when " + guard + " is " + which
     )
+  )
+  or
+  exists(AbstractValue value |
+    guard.comparesEq(left, k, true, value) and op = " == "
     or
-    (
-      guard.comparesEq(left, k, true, sense) and op = " == "
-      or
-      guard.comparesEq(left, k, false, sense) and op = " != "
-    ) and
-    msg = left + op + k + " when " + guard + " is " + which
+    guard.comparesEq(left, k, false, value) and op = " != "
+  |
+    msg = left + op + k + " when " + guard + " is " + value
   )
 select guard.getLocation().getStartLine(), msg

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -1781,6 +1781,12 @@ destructors_for_temps.cpp:
 #   15|             getQualifier(): [ConstructorCall] call to ClassWithDestructor2
 #   15|                 Type = [VoidType] void
 #   15|                 ValueCategory = prvalue
+#   15|             getImplicitDestructorCall(0): [DestructorCall] call to ~ClassWithDestructor2
+#   15|                 Type = [VoidType] void
+#   15|                 ValueCategory = prvalue
+#   15|               getQualifier(): [ReuseExpr] reuse of temporary object
+#   15|                   Type = [Class] ClassWithDestructor2
+#   15|                   ValueCategory = xvalue
 #   15|             getQualifier().getFullyConverted(): [TemporaryObjectExpr] temporary object
 #   15|                 Type = [Class] ClassWithDestructor2
 #   15|                 ValueCategory = prvalue(load)
@@ -1804,6 +1810,12 @@ destructors_for_temps.cpp:
 #   16|               getQualifier().getFullyConverted(): [TemporaryObjectExpr] temporary object
 #   16|                   Type = [Class] ClassWithDestructor2
 #   16|                   ValueCategory = prvalue(load)
+#   16|             getImplicitDestructorCall(0): [DestructorCall] call to ~ClassWithDestructor2
+#   16|                 Type = [VoidType] void
+#   16|                 ValueCategory = prvalue
+#   16|               getQualifier(): [ReuseExpr] reuse of temporary object
+#   16|                   Type = [Class] ClassWithDestructor2
+#   16|                   ValueCategory = xvalue
 #   17|     getStmt(2): [ReturnStmt] return ...
 #   17|       getExpr(): [FunctionCall] call to get_x
 #   17|           Type = [PlainCharType] char
@@ -18145,6 +18157,12 @@ ir.cpp:
 # 2293|                 getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
 # 2293|                     Type = [PointerType] const char *
 # 2293|                     ValueCategory = prvalue
+# 2293|               getImplicitDestructorCall(0): [DestructorCall] call to ~String
+# 2293|                   Type = [VoidType] void
+# 2293|                   ValueCategory = prvalue
+# 2293|                 getQualifier(): [ReuseExpr] reuse of temporary object
+# 2293|                     Type = [Struct] String
+# 2293|                     ValueCategory = xvalue
 # 2293|               getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
 # 2293|                   Type = [Struct] String
 # 2293|                   ValueCategory = lvalue

java/ql/lib/ext/java.io.model.yml

@@ -78,11 +78,13 @@ extensions:
       - ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", True, "getParent", "()", "", "Argument[this]", "ReturnValue", "taint", "df-manual"]
       - ["java.io", "File", True, "getParentFile", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", True, "toURL", "()", "", "Argument[this]", "ReturnValue", "taint", "df-manual"]
       - ["java.io", "FilterOutputStream", True, "FilterOutputStream", "(OutputStream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.io", "InputStream", True, "read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "InputStream", True, "read", "(byte[])", "", "Argument[this]", "Argument[0]", "taint", "manual"]
@@ -118,6 +120,7 @@ extensions:
       - ["java.io", "File", "listFiles", "", "summary", "df-manual"]
       - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
+      - ["java.io", "FileInputStream", "FileInputStream", "(FileDescriptor)", "summary", "df-manual"]
       - ["java.io", "FileInputStream", "FileInputStream", "(String)", "summary", "df-manual"]
       - ["java.io", "InputStream", "close", "()", "summary", "manual"]
       - ["java.io", "ObjectInput", "readObject", "()", "summary", "df-manual"] # this is a deserialization sink modeled in regular CodeQL

java/ql/lib/ext/java.lang.model.yml

@@ -114,6 +114,7 @@ extensions:
       - ["java.lang", "String", False, "indent", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "intern", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "join", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "String", False, "lines", "()", "", "Argument[this]", "ReturnValue.Element", "taint", "df-manual"]
       - ["java.lang", "String", False, "repeat", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "replace", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "replace", "", "", "Argument[1]", "ReturnValue", "taint", "manual"]
@@ -185,8 +186,19 @@ extensions:
       - ["java.lang", "Class", "isAssignableFrom", "(Class)", "summary", "manual"]
       - ["java.lang", "Class", "isInstance", "(Object)", "summary", "manual"]
       - ["java.lang", "Class", "toString", "()", "summary", "manual"]
+      - ["java.lang", "ClassLoader", "findResource", "(String)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "getDefinedPackage", "(String)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "getDefinedPackage", "(String)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "getName", "()", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "getParent", "()", "summary", "df-manual"]
       - ["java.lang", "ClassLoader", "getResource", "(String)", "summary", "manual"]
       - ["java.lang", "ClassLoader", "getResourceAsStream", "(String)", "summary", "manual"]
+      - ["java.lang", "ClassLoader", "getSystemResource", "(String)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "getUnnamedModule", "()", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "loadClass", "(String)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "loadClass", "(String,boolean)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "setClassAssertionStatus", "(String,boolean)", "summary", "df-manual"]
+      - ["java.lang", "ClassLoader", "setPackageAssertionStatus", "(String,boolean)", "summary", "df-manual"]
       - ["java.lang", "Enum", "Enum", "(String,int)", "summary", "manual"]
       - ["java.lang", "Enum", "equals", "(Object)", "summary", "manual"]
       - ["java.lang", "Enum", "hashCode", "()", "summary", "manual"]
@@ -228,14 +240,14 @@ extensions:
       - ["java.lang", "Thread", "interrupt", "()", "summary", "manual"]
       - ["java.lang", "Thread", "sleep", "(long)", "summary", "manual"]
       - ["java.lang", "Thread", "start", "()", "summary", "manual"]
-      - ["java.lang", "Throwable", "addSuppressed", "(Throwable)", "summary", "manual"]
-      - ["java.lang", "Throwable", "fillInStackTrace", "()", "summary", "manual"]
-      - ["java.lang", "Throwable", "getStackTrace", "()", "summary", "manual"]
-      - ["java.lang", "Throwable", "getSuppressed", "()", "summary", "manual"]
-      - ["java.lang", "Throwable", "printStackTrace", "()", "summary", "manual"]
-      - ["java.lang", "Throwable", "printStackTrace", "(PrintStream)", "summary", "manual"]
-      - ["java.lang", "Throwable", "printStackTrace", "(PrintWriter)", "summary", "manual"]
-      - ["java.lang", "Throwable", "setStackTrace", "(StackTraceElement[])", "summary", "manual"]
+      - ["java.lang", "Throwable", "addSuppressed", "(Throwable)", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "fillInStackTrace", "()", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "getStackTrace", "()", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "getSuppressed", "()", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "printStackTrace", "()", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "printStackTrace", "(PrintStream)", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "printStackTrace", "(PrintWriter)", "summary", "df-manual"]
+      - ["java.lang", "Throwable", "setStackTrace", "(StackTraceElement[])", "summary", "df-manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
       - ["java.lang", "Double", "doubleToLongBits", "(double)", "summary", "manual"] # taint-numeric

java/ql/lib/ext/java.net.model.yml

@@ -67,4 +67,5 @@ extensions:
     data:
       # summary neutrals
       - ["java.net", "Socket", "getOutputStream", "()", "summary", "df-manual"]
+      - ["java.net", "Socket", "connect", "(SocketAddress)", "summary", "df-manual"]
       - ["java.net", "Socket", "connect", "(SocketAddress,int)", "summary", "df-manual"]

java/ql/lib/ext/java.nio.file.model.yml

@@ -91,7 +91,7 @@ extensions:
     data:
       # summary neutrals
       - ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "summary", "manual"]
-      - ["java.nio.file", "Files", "newInputStream", "(Path,LinkOption[])", "summary", "df-manual"]
+      - ["java.nio.file", "Files", "newInputStream", "(Path,OpenOption[])", "summary", "df-manual"]
       # sink neutrals
       - ["java.nio.file", "Files", "getLastModifiedTime", "", "sink", "hq-manual"]
       - ["java.nio.file", "Files", "getOwner", "", "sink", "hq-manual"]