Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch

Author: atorralba

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

@@ -9,6 +9,8 @@
  * @id cpp/signed-overflow-check
  * @tags correctness
  *       security
+ *       external/cwe/cwe-128
+ *       external/cwe/cwe-190
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -7,12 +7,12 @@
  * @kind path-problem
  * @problem.severity warning
  * @precision high
+ * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
  *       reliability
  *       security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-843
- * @id cpp/upcast-array-pointer-arithmetic
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql

@@ -8,6 +8,8 @@
  * @tags reliability
  *       correctness
  *       security
+ *       external/cwe/cwe-190
+ *       external/cwe/cwe-253
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -9,6 +9,7 @@
  * @tags reliability
  *       correctness
  *       security
+ *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
 

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql

@@ -8,6 +8,7 @@
  * @id cpp/pointer-overflow-check
  * @tags reliability
  *       security
+ *       external/cwe/cwe-758
  */
 
 import cpp

cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql

@@ -10,6 +10,7 @@
  * @tags correctness
  *       language-features
  *       security
+ *       external/cwe/cwe-670
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql

@@ -12,6 +12,8 @@
  * @tags correctness
  *       maintainability
  *       security
+ *       external/cwe/cwe-234
+ *       external/cwe/cwe-685
  */
 
 import cpp

cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql

@@ -53,20 +53,27 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
    * Holds if results call `operator new` check in `operator if`.
    */
   predicate isExistsIfCondition() {
-    exists(IfCompareWithZero ifc, AssignExpr aex, Initializer it |
+    exists(IfCompareWithZero ifc |
       // call `operator new` directly from the condition of `operator if`.
       this = ifc.getCondition().getAChild*()
       or
-      // check results call `operator new` with variable appropriation
       postDominates(ifc, this) and
-      aex.getAChild() = exp and
-      ifc.getCondition().getAChild().(VariableAccess).getTarget() =
-        aex.getLValue().(VariableAccess).getTarget()
-      or
-      // check results call `operator new` with declaration variable
-      postDominates(ifc, this) and
-      exp = it.getExpr() and
-      it.getDeclaration() = ifc.getCondition().getAChild().(VariableAccess).getTarget()
+      exists(Variable v |
+        v = ifc.getCondition().getAChild().(VariableAccess).getTarget() and
+        (
+          exists(AssignExpr aex |
+            // check results call `operator new` with variable appropriation
+            aex.getAChild() = exp and
+            v = aex.getLValue().(VariableAccess).getTarget()
+          )
+          or
+          exists(Initializer it |
+            // check results call `operator new` with declaration variable
+            exp = it.getExpr() and
+            it.getDeclaration() = v
+          )
+        )
+      )
     )
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -338,15 +338,21 @@ private module Cached {
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
+  /**
+   * Holds if `opcode` is the opcode that specifies the operation performed by `instr`.
+   *
+   * The parameters are ordered such that they produce a clean join (with no need for reordering)
+   * in the characteristic predicates of the `Instruction` subclasses.
+   */
   cached
-  Opcode getInstructionOpcode(Instruction instr) {
-    result = getOldInstruction(instr).getOpcode()
+  predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
+    opcode = getOldInstruction(instr).getOpcode()
     or
-    instr = phiInstruction(_, _) and result instanceof Opcode::Phi
+    instr = phiInstruction(_, _) and opcode instanceof Opcode::Phi
     or
-    instr = chiInstruction(_) and result instanceof Opcode::Chi
+    instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = unreachedInstruction(_) and result instanceof Opcode::Unreached
+    instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
   cached