Merge branch 'main' into rust-saa-additions

Author: paldepind

Cargo.lock

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added the predicate `mayBeFromImplicitlyDeclaredFunction()` to the `Call` class to represent calls that may be the return value of an implicitly declared C function.
+* Added the predicate `getAnExplicitDeclarationEntry()` to the `Function` class to get a `FunctionDeclarationEntry` that is not implicit.

cpp/ql/lib/change-notes/2014-10-16-implicitly-declared-fns.md

@@ -230,6 +230,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
       )
   }
 
+  /**
+   * Gets a non-implicit function declaration entry.
+   */
+  FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
+    result = this.getADeclarationEntry() and
+    not result.isImplicit()
+  }
+
   private predicate declEntry(FunctionDeclarationEntry fde) {
     fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
     // If one .cpp file specializes a function, and another calls the

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -149,6 +149,11 @@ class Call extends Expr, NameQualifiableElement, TCall {
     variableAddressEscapesTreeNonConst(va, this.getQualifier().getFullyConverted()) and
     i = -1
   }
+
+  /** Holds if this expression could be the return value of an implicitly declared function. */
+  predicate mayBeFromImplicitlyDeclaredFunction() {
+    this.getTarget().getADeclarationEntry().isImplicit()
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -683,8 +683,13 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
     def.getVirtualVariable() = use.getVirtualVariable() and
     def instanceof EntireAllocationMemoryLocation and
     (
-      // EntireAllocationMemoryLocation exactly overlaps itself.
-      use instanceof EntireAllocationMemoryLocation and
+      // EntireAllocationMemoryLocation exactly overlaps any EntireAllocationMemoryLocation for the
+      // same allocation. Checking the allocation, rather than the memory location itself, ensures
+      // that we get the right relationship between the "must" and "may" memory locations for that
+      // allocation.
+      // Note that if one of the locations is a "may" access, the overlap will be downgraded to
+      // `MustTotallyOverlap` or `MayPartialOverlap` in `getOverlap()`.
+      use.(EntireAllocationMemoryLocation).getAnAllocation() = def.getAnAllocation() and
       result instanceof MustExactlyOverlap
       or
       not use instanceof EntireAllocationMemoryLocation and

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -91,7 +91,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
   override int getFirstFormatArgumentIndex() {
     if this.hasName("__builtin___sprintf_chk")
     then result = 4
-    else result = this.getNumberOfParameters()
+    else result = super.getFirstFormatArgumentIndex()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -42,6 +42,21 @@ private Type getAFormatterWideTypeOrDefault() {
  * A standard library function that uses a `printf`-like formatting string.
  */
 abstract class FormattingFunction extends ArrayFunction, TaintFunction {
+  int firstFormatArgumentIndex;
+
+  FormattingFunction() {
+    firstFormatArgumentIndex > 0 and
+    if this.hasDefinition()
+    then firstFormatArgumentIndex = this.getDefinition().getNumberOfParameters()
+    else
+      if this instanceof BuiltInFunction
+      then firstFormatArgumentIndex = this.getNumberOfParameters()
+      else
+        forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
+          firstFormatArgumentIndex = fde.getNumberOfParameters()
+        )
+  }
+
   /** Gets the position at which the format parameter occurs. */
   abstract int getFormatParameterIndex();
 
@@ -121,33 +136,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
    * the first format specifier in the format string. We ignore all
    * implicit function definitions.
    */
-  int getFirstFormatArgumentIndex() {
-    // The formatting function either has a definition in the snapshot, or all
-    // `DeclarationEntry`s agree on the number of parameters (otherwise we don't
-    // really know the correct number)
-    if this.hasDefinition()
-    then result = this.getDefinition().getNumberOfParameters()
-    else result = this.getNumberOfExplicitParameters()
-  }
-
-  /**
-   * Gets a non-implicit function declaration entry.
-   */
-  private FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
-    result = this.getADeclarationEntry() and
-    not result.isImplicit()
-  }
-
-  /**
-   * Gets the number of parameters, excluding any parameters that have been defined
-   * from implicit function declarations. If there is some inconsistency in the number
-   * of parameters, then don't return anything.
-   */
-  private int getNumberOfExplicitParameters() {
-    forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
-      result = fde.getNumberOfParameters()
-    )
-  }
+  int getFirstFormatArgumentIndex() { result = firstFormatArgumentIndex }
 
   /**
    * Gets the position of the buffer size argument, if any.

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -170,7 +170,8 @@ where
   ) and
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType
+  not actual.getUnspecifiedType() instanceof ErroneousType and
+  not arg.(Call).mayBeFromImplicitlyDeclaredFunction()
 select arg,
   "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
     actual.getUnspecifiedType().getName() + "'."

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Remove results from the `cpp/wrong-type-format-argument` ("Wrong type of arguments to formatting function") query if the argument is the return value of an implicitly declared function.

cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md

@@ -1,4 +1,9 @@
-// query-type: graph
+/**
+ * query-type: graph
+ *
+ * @kind graph-equivalence-test
+ */
+
 import cpp
 
 class DestructorCallEnhanced extends DestructorCall {