Merge branch 'main' into js/graph-export

Author: asgerf

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -27,4 +27,6 @@ module CppDataFlow implements InputSig<Location> {
   predicate mayBenefitFromCallContext = Private::mayBenefitFromCallContext/1;
 
   predicate viableImplInCallContext = Private::viableImplInCallContext/2;
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1306,6 +1306,13 @@ predicate nodeIsHidden(Node n) {
   n instanceof InitialGlobalValue
 }
 
+predicate neverSkipInPathGraph(Node n) {
+  // Always show the right-hand side of assignments in the path graph
+  exists(n.asDefinition())
+  or
+  exists(n.asIndirectDefinition())
+}
+
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected

@@ -1,7 +1,9 @@
 edges
-| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | provenance |  |
+| test.cpp:22:27:22:30 | **argv | test.cpp:23:20:23:26 | *access to array | provenance |  |
+| test.cpp:23:20:23:26 | *access to array | test.cpp:29:13:29:20 | *filePath | provenance |  |
 nodes
 | test.cpp:22:27:22:30 | **argv | semmle.label | **argv |
+| test.cpp:23:20:23:26 | *access to array | semmle.label | *access to array |
 | test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath |
 subpaths
 #select

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected

@@ -1,11 +1,13 @@
 edges
-| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance |  |
+| test.cpp:22:17:22:21 | (size_t)... | test.cpp:23:33:23:37 | size1 | provenance |  |
+| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | (size_t)... | provenance |  |
 | test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size | provenance |  |
 | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size | provenance |  |
 nodes
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
+| test.cpp:22:17:22:21 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
 | test.cpp:30:18:30:32 | ... * ... | semmle.label | ... * ... |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected

@@ -1,12 +1,15 @@
 edges
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | provenance |  |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance |  |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | provenance |  |
 | test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] | provenance |  |
 | test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] | provenance |  |
 | test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] | provenance |  |
 | test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] | provenance |  |
 | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... | provenance |  |
-| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] | provenance |  |
+| test.cpp:22:5:22:7 | *arr [p] | test.cpp:24:12:24:14 | arr [p] | provenance |  |
+| test.cpp:24:12:24:14 | arr [p] | test.cpp:19:9:19:16 | *mk_array [p] | provenance |  |
+| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] | provenance |  |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] | provenance |  |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] | provenance |  |
 | test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p | provenance |  |
@@ -28,7 +31,9 @@ edges
 | test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] | provenance |  |
 | test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] | provenance |  |
 | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... | provenance |  |
-| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] | provenance |  |
+| test.cpp:70:5:70:7 | *arr [p] | test.cpp:72:12:72:14 | *arr [p] | provenance |  |
+| test.cpp:72:12:72:14 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] | provenance |  |
+| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] | provenance |  |
 | test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] | provenance |  |
 | test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] | provenance |  |
 | test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p | provenance |  |
@@ -43,13 +48,16 @@ edges
 | test.cpp:98:18:98:27 | test6_callee output argument [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] | provenance |  |
 nodes
 | test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
 | test.cpp:6:9:6:11 | arr | semmle.label | arr |
 | test.cpp:10:9:10:11 | arr | semmle.label | arr |
 | test.cpp:19:9:19:16 | *mk_array [p] | semmle.label | *mk_array [p] |
 | test.cpp:21:5:21:7 | *arr [post update] [p] | semmle.label | *arr [post update] [p] |
 | test.cpp:21:5:21:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
 | test.cpp:22:5:22:7 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:24:12:24:14 | arr [p] | semmle.label | arr [p] |
+| test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
 | test.cpp:31:9:31:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:31:13:31:13 | p | semmle.label | p |
@@ -74,6 +82,8 @@ nodes
 | test.cpp:69:5:69:25 | ... = ... | semmle.label | ... = ... |
 | test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
 | test.cpp:70:5:70:7 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:72:12:72:14 | *arr [p] | semmle.label | *arr [p] |
+| test.cpp:76:20:76:29 | *call to mk_array_p [p] | semmle.label | *call to mk_array_p [p] |
 | test.cpp:76:20:76:29 | *call to mk_array_p [p] | semmle.label | *call to mk_array_p [p] |
 | test.cpp:79:9:79:11 | *arr [p] | semmle.label | *arr [p] |
 | test.cpp:79:14:79:14 | p | semmle.label | p |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -18,8 +18,9 @@ edges
 | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... | provenance |  |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p | provenance |  |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf | provenance |  |
-| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance |  |
-| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance |  |
+| test.cpp:85:21:85:36 | (char *)... | test.cpp:87:5:87:31 | access to array | provenance |  |
+| test.cpp:85:21:85:36 | (char *)... | test.cpp:88:5:88:27 | access to array | provenance |  |
+| test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | (char *)... | provenance |  |
 | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance |  |
 | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance |  |
 | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance |  |
@@ -32,17 +33,21 @@ edges
 | test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance |  |
 | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance |  |
 | test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance |  |
+| test.cpp:136:9:136:16 | ... += ... | test.cpp:136:9:136:16 | ... += ... | provenance |  |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance |  |
 | test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance |  |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance |  |
+| test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance |  |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance |  |
 | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance |  |
-| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance |  |
-| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance |  |
-| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance |  |
-| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance |  |
+| test.cpp:218:16:218:28 | (int *)... | test.cpp:220:5:220:11 | access to array | provenance |  |
+| test.cpp:218:16:218:28 | (int *)... | test.cpp:221:5:221:11 | access to array | provenance |  |
+| test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | (int *)... | provenance |  |
+| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:231:5:231:10 | access to array | provenance |  |
+| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:232:5:232:10 | access to array | provenance |  |
+| test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | (vec2 *)... | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance |  |
@@ -61,13 +66,16 @@ edges
 | test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance |  |
+| test.cpp:319:13:319:27 | ... = ... | test.cpp:325:24:325:26 | end | provenance |  |
 | test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance |  |
 | test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance |  |
-| test.cpp:319:19:319:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance |  |
+| test.cpp:319:19:319:27 | ... + ... | test.cpp:319:13:319:27 | ... = ... | provenance |  |
+| test.cpp:322:13:322:27 | ... = ... | test.cpp:325:24:325:26 | end | provenance |  |
 | test.cpp:322:19:322:22 | temp | test.cpp:322:19:322:27 | ... + ... | provenance |  |
 | test.cpp:322:19:322:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance |  |
-| test.cpp:322:19:322:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance |  |
+| test.cpp:322:19:322:27 | ... + ... | test.cpp:322:13:322:27 | ... = ... | provenance |  |
 | test.cpp:324:23:324:26 | temp | test.cpp:324:23:324:32 | ... + ... | provenance |  |
+| test.cpp:324:23:324:32 | ... + ... | test.cpp:324:23:324:32 | ... + ... | provenance |  |
 | test.cpp:324:23:324:32 | ... + ... | test.cpp:325:15:325:19 | temp2 | provenance |  |
 nodes
 | test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
@@ -103,6 +111,7 @@ nodes
 | test.cpp:77:32:77:34 | buf | semmle.label | buf |
 | test.cpp:79:27:79:34 | buf | semmle.label | buf |
 | test.cpp:79:32:79:34 | buf | semmle.label | buf |
+| test.cpp:85:21:85:36 | (char *)... | semmle.label | (char *)... |
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
 | test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
@@ -118,17 +127,21 @@ nodes
 | test.cpp:128:9:128:14 | access to array | semmle.label | access to array |
 | test.cpp:134:25:134:27 | arr | semmle.label | arr |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
+| test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:138:13:138:15 | arr | semmle.label | arr |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:146:26:146:26 | *p | semmle.label | *p |
 | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
+| test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... |
+| test.cpp:218:16:218:28 | (int *)... | semmle.label | (int *)... |
 | test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
 | test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
 | test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
+| test.cpp:229:17:229:29 | (vec2 *)... | semmle.label | (vec2 *)... |
 | test.cpp:229:25:229:29 | array | semmle.label | array |
 | test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
 | test.cpp:232:5:232:10 | access to array | semmle.label | access to array |
@@ -152,12 +165,15 @@ nodes
 | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
+| test.cpp:319:13:319:27 | ... = ... | semmle.label | ... = ... |
 | test.cpp:319:19:319:22 | temp | semmle.label | temp |
 | test.cpp:319:19:319:27 | ... + ... | semmle.label | ... + ... |
+| test.cpp:322:13:322:27 | ... = ... | semmle.label | ... = ... |
 | test.cpp:322:19:322:22 | temp | semmle.label | temp |
 | test.cpp:322:19:322:27 | ... + ... | semmle.label | ... + ... |
 | test.cpp:324:23:324:26 | temp | semmle.label | temp |
 | test.cpp:324:23:324:32 | ... + ... | semmle.label | ... + ... |
+| test.cpp:324:23:324:32 | ... + ... | semmle.label | ... + ... |
 | test.cpp:325:15:325:19 | temp2 | semmle.label | temp2 |
 | test.cpp:325:24:325:26 | end | semmle.label | end |
 | test.cpp:325:24:325:26 | end | semmle.label | end |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected

@@ -1,9 +1,12 @@
 edges
-| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | provenance |  |
-| test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | provenance |  |
+| test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | provenance |  |
+| test.cpp:47:10:47:15 | buffer | test.cpp:45:7:45:10 | *func | provenance |  |
+| test.cpp:74:24:74:30 | medical | test.cpp:77:16:77:22 | medical | provenance |  |
 | test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical | provenance |  |
+| test.cpp:77:16:77:22 | medical | test.cpp:77:16:77:22 | medical | provenance |  |
 | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | provenance |  |
 | test.cpp:77:16:77:22 | medical | test.cpp:81:22:81:28 | medical | provenance |  |
+| test.cpp:81:17:81:20 | call to func | test.cpp:81:17:81:20 | call to func | provenance |  |
 | test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 | provenance |  |
 | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | provenance |  |
 | test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func | provenance |  |
@@ -12,12 +15,15 @@ edges
 nodes
 | test.cpp:45:7:45:10 | *func | semmle.label | *func |
 | test.cpp:45:18:45:23 | buffer | semmle.label | buffer |
+| test.cpp:47:10:47:15 | buffer | semmle.label | buffer |
 | test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
 | test.cpp:74:24:74:30 | medical | semmle.label | medical |
 | test.cpp:77:16:77:22 | medical | semmle.label | medical |
+| test.cpp:77:16:77:22 | medical | semmle.label | medical |
 | test.cpp:78:24:78:27 | temp | semmle.label | temp |
 | test.cpp:81:17:81:20 | call to func | semmle.label | call to func |
+| test.cpp:81:17:81:20 | call to func | semmle.label | call to func |
 | test.cpp:81:22:81:28 | medical | semmle.label | medical |
 | test.cpp:82:24:82:28 | buff5 | semmle.label | buff5 |
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |