Merge branch 'main' into skip-safe-conversions-in-range-analysis

Author: MathiasVP

.github/workflows/ruby-build.yml

@@ -50,7 +50,7 @@ jobs:
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
       - name: Install cargo-cross
         if: runner.os == 'Linux'
-        run: cargo install cross --version 0.2.1
+        run: cargo install cross --version 0.2.5
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -85,7 +85,12 @@ jobs:
       # This ensures we don't depend on glibc > 2.17.
       - name: Release build (linux)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
-        run: cd extractor && cross build --release
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/extractor target/release/
+          mv target/x86_64-unknown-linux-gnu/release/autobuilder target/release/
+          mv target/x86_64-unknown-linux-gnu/release/generator target/release/
       - name: Release build (windows and macos)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
         run: cd extractor && cargo build --release

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll

@@ -591,24 +591,6 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
     delta = D::fromInt(0) and
     (upper = true or upper = false)
     or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-      not x instanceof SemConstantIntegerExpr and
-      not e1 instanceof SemConstantIntegerExpr and
-      if strictlyPositiveIntegralExpr(x)
-      then upper = false and delta = D::fromInt(1)
-      else
-        if semPositive(x)
-        then upper = false and delta = D::fromInt(0)
-        else
-          if strictlyNegativeIntegralExpr(x)
-          then upper = true and delta = D::fromInt(-1)
-          else
-            if semNegative(x)
-            then upper = true and delta = D::fromInt(0)
-            else none()
-    )
-    or
     exists(SemExpr x, SemSubExpr sub |
       e2 = sub and
       sub.getLeftOperand() = e1 and
@@ -1043,13 +1025,44 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
         delta = D::fromFloat(f) and
         if semPositive(e) then f >= 0 else any()
       )
+      or
+      exists(
+        SemBound bLeft, SemBound bRight, D::Delta dLeft, D::Delta dRight, boolean fbeLeft,
+        boolean fbeRight, D::Delta odLeft, D::Delta odRight, SemReason rLeft, SemReason rRight
+      |
+        boundedAddOperand(e, upper, bLeft, false, dLeft, fbeLeft, odLeft, rLeft) and
+        boundedAddOperand(e, upper, bRight, true, dRight, fbeRight, odRight, rRight) and
+        delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
+        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+      |
+        b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
+        or
+        b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
+      )
     )
   }
 
+  pragma[nomagic]
   private predicate boundedConditionalExpr(
     SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, D::Delta delta,
     boolean fromBackEdge, D::Delta origdelta, SemReason reason
   ) {
     bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
   }
+
+  pragma[nomagic]
+  private predicate boundedAddOperand(
+    SemAddExpr add, boolean upper, SemBound b, boolean isLeft, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    // `semValueFlowStep` already handles the case where one of the operands is a constant.
+    not semValueFlowStep(add, _, _) and
+    (
+      isLeft = true and
+      bounded(add.getLeftOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+      or
+      isLeft = false and
+      bounded(add.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+    )
+  }
 }

cpp/ql/lib/qlpack.yml

@@ -8,3 +8,4 @@ upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 private import DataFlowImplConsistency
+import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -264,15 +265,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -6,6 +6,7 @@ private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
+import codeql.util.Unit
 
 cached
 private module Cached {
@@ -799,15 +800,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
   n instanceof OperandNode and

cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql

@@ -62,11 +62,16 @@ predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
 predicate isSinkPairImpl(
   CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
 ) {
-  exists(int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr |
+  exists(
+    int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr, ArrayFunction func
+  |
     bufInstr = bufSink.asInstruction() and
     c.getArgument(bufIndex) = bufInstr and
     sizeInstr = sizeSink.asInstruction() and
-    c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
+    c.getStaticCallTarget() = func and
+    pragma[only_bind_into](func)
+        .hasArrayWithVariableSize(pragma[only_bind_into](bufIndex),
+          pragma[only_bind_into](sizeIndex)) and
     bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
     eBuf = bufInstr.getUnconvertedResultExpression()
   )

cpp/ql/test/library-tests/CPP-205/elements.expected

@@ -1,35 +1,21 @@
-| CPP-205.cpp:0:0:0:0 | CPP-205.cpp |  |
-| CPP-205.cpp:1:20:1:20 | T |  |
-| CPP-205.cpp:1:20:1:20 | definition of T |  |
-| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int) |
-| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int) |
-| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T) |
-| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T) |
-| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<T>(T) |
-| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<int>(int) |
-| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<T>(T) |
-| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<int>(int) |
-| CPP-205.cpp:2:15:5:1 | { ... } |  |
-| CPP-205.cpp:2:15:5:1 | { ... } |  |
-| CPP-205.cpp:3:3:3:33 | declaration |  |
-| CPP-205.cpp:3:3:3:33 | declaration |  |
-| CPP-205.cpp:3:15:3:15 | declaration of y |  |
-| CPP-205.cpp:3:15:3:15 | y |  |
-| CPP-205.cpp:3:17:3:31 | 5 |  |
-| CPP-205.cpp:4:3:4:11 | return ... |  |
-| CPP-205.cpp:4:3:4:11 | return ... |  |
-| CPP-205.cpp:4:10:4:10 | 0 |  |
-| CPP-205.cpp:4:10:4:10 | 0 |  |
+| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int), isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int), isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T), isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T), isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:2:10:2:12 | definition of out | isFromTemplateInstantiation(fn), parameter declaration entry for int fn<int>(int) |
+| CPP-205.cpp:2:10:2:12 | definition of out | isFromUninstantiatedTemplate(fn), parameter declaration entry for int fn<T>(T) |
+| CPP-205.cpp:2:10:2:12 | out | isFromTemplateInstantiation(fn), parameter for int fn<int>(int) |
+| CPP-205.cpp:2:10:2:12 | out | isFromUninstantiatedTemplate(fn), parameter for int fn<T>(T) |
+| CPP-205.cpp:2:15:5:1 | { ... } | isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:2:15:5:1 | { ... } | isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:3:3:3:33 | declaration | isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:3:3:3:33 | declaration | isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:3:15:3:15 | declaration of y | isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:3:15:3:15 | y | isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:3:17:3:31 | 5 | isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:4:3:4:11 | return ... | isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:4:3:4:11 | return ... | isFromUninstantiatedTemplate(fn) |
+| CPP-205.cpp:4:10:4:10 | 0 | isFromTemplateInstantiation(fn) |
+| CPP-205.cpp:4:10:4:10 | 0 | isFromUninstantiatedTemplate(fn) |
 | CPP-205.cpp:7:5:7:8 | definition of main | function declaration entry for int main() |
 | CPP-205.cpp:7:5:7:8 | main | function int main() |
-| CPP-205.cpp:7:12:9:1 | { ... } |  |
-| CPP-205.cpp:8:3:8:15 | return ... |  |
-| CPP-205.cpp:8:10:8:11 | call to fn |  |
-| CPP-205.cpp:8:13:8:13 | 0 |  |
-| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
-| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
-| file://:0:0:0:0 | __super |  |
-| file://:0:0:0:0 | __va_list_tag |  |
-| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
-| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
-| file://:0:0:0:0 | y |  |

cpp/ql/test/library-tests/CPP-205/elements.ql

@@ -14,10 +14,20 @@ string describe(Element e) {
   result =
     "parameter declaration entry for " +
       getIdentityString(e.(ParameterDeclarationEntry).getFunctionDeclarationEntry().getFunction())
+  or
+  exists(Element template |
+    e.isFromTemplateInstantiation(template) and
+    result = "isFromTemplateInstantiation(" + template.toString() + ")"
+  )
+  or
+  exists(Element template |
+    e.isFromUninstantiatedTemplate(template) and
+    result = "isFromUninstantiatedTemplate(" + template.toString() + ")"
+  )
 }
 
 from Element e
 where
-  not e.getLocation() instanceof UnknownLocation and
+  e.getLocation().getFile().getBaseName() != "" and
   not e instanceof Folder
-select e, concat(describe(e), ", ")
+select e, strictconcat(describe(e), ", ")