Merge branch 'main' into main

Author: raulgarciamsft

.github/workflows/ruby-build.yml

@@ -50,7 +50,7 @@ jobs:
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
       - name: Install cargo-cross
         if: runner.os == 'Linux'
-        run: cargo install cross --version 0.2.1
+        run: cargo install cross --version 0.2.5
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -85,7 +85,12 @@ jobs:
       # This ensures we don't depend on glibc > 2.17.
       - name: Release build (linux)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
-        run: cd extractor && cross build --release
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/extractor target/release/
+          mv target/x86_64-unknown-linux-gnu/release/autobuilder target/release/
+          mv target/x86_64-unknown-linux-gnu/release/generator target/release/
       - name: Release build (windows and macos)
         if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
         run: cd extractor && cargo build --release

.github/workflows/ruby-qltest.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - "ruby/**"
+      - "shared/**"
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml

cpp/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll

@@ -591,24 +591,6 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
     delta = D::fromInt(0) and
     (upper = true or upper = false)
     or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
-      not x instanceof SemConstantIntegerExpr and
-      not e1 instanceof SemConstantIntegerExpr and
-      if strictlyPositiveIntegralExpr(x)
-      then upper = false and delta = D::fromInt(1)
-      else
-        if semPositive(x)
-        then upper = false and delta = D::fromInt(0)
-        else
-          if strictlyNegativeIntegralExpr(x)
-          then upper = true and delta = D::fromInt(-1)
-          else
-            if semNegative(x)
-            then upper = true and delta = D::fromInt(0)
-            else none()
-    )
-    or
     exists(SemExpr x, SemSubExpr sub |
       e2 = sub and
       sub.getLeftOperand() = e1 and
@@ -1043,13 +1025,193 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
         delta = D::fromFloat(f) and
         if semPositive(e) then f >= 0 else any()
       )
+      or
+      exists(
+        SemBound bLeft, SemBound bRight, D::Delta dLeft, D::Delta dRight, boolean fbeLeft,
+        boolean fbeRight, D::Delta odLeft, D::Delta odRight, SemReason rLeft, SemReason rRight
+      |
+        boundedAddOperand(e, upper, bLeft, false, dLeft, fbeLeft, odLeft, rLeft) and
+        boundedAddOperand(e, upper, bRight, true, dRight, fbeRight, odRight, rRight) and
+        delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
+        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+      |
+        b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
+        or
+        b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
+      )
+      or
+      exists(
+        SemRemExpr rem, SemZeroBound b1, SemZeroBound b2, D::Delta d_max, D::Delta d1, D::Delta d2,
+        boolean fbe1, boolean fbe2, D::Delta od1, D::Delta od2, SemReason r1, SemReason r2
+      |
+        rem = e and
+        not (upper = true and semPositive(rem.getRightOperand())) and
+        not (upper = true and semPositive(rem.getLeftOperand())) and
+        boundedRemExpr(rem, b1, true, d1, fbe1, od1, r1) and
+        boundedRemExpr(rem, b2, false, d2, fbe2, od2, r2) and
+        (
+          if D::toFloat(d1).abs() > D::toFloat(d2).abs()
+          then (
+            b = b1 and d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+          ) else (
+            b = b2 and d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+          )
+        )
+      |
+        upper = true and delta = D::fromFloat(D::toFloat(d_max).abs() - 1)
+        or
+        upper = false and delta = D::fromFloat(-D::toFloat(d_max).abs() + 1)
+      )
+      or
+      exists(
+        D::Delta dLeft, D::Delta dRight, boolean fbeLeft, boolean fbeRight, D::Delta odLeft,
+        D::Delta odRight, SemReason rLeft, SemReason rRight
+      |
+        boundedMulOperand(e, upper, true, dLeft, fbeLeft, odLeft, rLeft) and
+        boundedMulOperand(e, upper, false, dRight, fbeRight, odRight, rRight) and
+        delta = D::fromFloat(D::toFloat(dLeft) * D::toFloat(dRight)) and
+        fromBackEdge = fbeLeft.booleanOr(fbeRight)
+      |
+        b instanceof SemZeroBound and origdelta = odLeft and reason = rLeft
+        or
+        b instanceof SemZeroBound and origdelta = odRight and reason = rRight
+      )
     )
   }
 
+  pragma[nomagic]
   private predicate boundedConditionalExpr(
     SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, D::Delta delta,
     boolean fromBackEdge, D::Delta origdelta, SemReason reason
   ) {
     bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
   }
+
+  pragma[nomagic]
+  private predicate boundedAddOperand(
+    SemAddExpr add, boolean upper, SemBound b, boolean isLeft, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    // `semValueFlowStep` already handles the case where one of the operands is a constant.
+    not semValueFlowStep(add, _, _) and
+    (
+      isLeft = true and
+      bounded(add.getLeftOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+      or
+      isLeft = false and
+      bounded(add.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+    )
+  }
+
+  private predicate boundedRemExpr(
+    SemRemExpr rem, SemZeroBound b, boolean upper, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    bounded(rem.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+  }
+
+  /**
+   * Define `cmp(true) = <=` and `cmp(false) = >=`.
+   *
+   * Holds if `mul = left * right`, and in order to know if `mul cmp(upper) 0 + k` (for
+   * some `k`) we need to know that `left cmp(upperLeft) 0 + k1` and
+   * `right cmp(upperRight) 0 + k2` (for some `k1` and `k2`).
+   */
+  pragma[nomagic]
+  private predicate boundedMulOperandCand(
+    SemMulExpr mul, SemExpr left, SemExpr right, boolean upper, boolean upperLeft,
+    boolean upperRight
+  ) {
+    not boundFlowStepMul(mul, _, _) and
+    mul.getLeftOperand() = left and
+    mul.getRightOperand() = right and
+    (
+      semPositive(left) and
+      (
+        // left, right >= 0
+        semPositive(right) and
+        (
+          // max(left * right) = max(left) * max(right)
+          upper = true and
+          upperLeft = true and
+          upperRight = true
+          or
+          // min(left * right) = min(left) * min(right)
+          upper = false and
+          upperLeft = false and
+          upperRight = false
+        )
+        or
+        // left >= 0, right <= 0
+        semNegative(right) and
+        (
+          // max(left * right) = min(left) * max(right)
+          upper = true and
+          upperLeft = false and
+          upperRight = true
+          or
+          // min(left * right) = max(left) * min(right)
+          upper = false and
+          upperLeft = true and
+          upperRight = false
+        )
+      )
+      or
+      semNegative(left) and
+      (
+        // left <= 0, right >= 0
+        semPositive(right) and
+        (
+          // max(left * right) = max(left) * min(right)
+          upper = true and
+          upperLeft = true and
+          upperRight = false
+          or
+          // min(left * right) = min(left) * max(right)
+          upper = false and
+          upperLeft = false and
+          upperRight = true
+        )
+        or
+        // left, right <= 0
+        semNegative(right) and
+        (
+          // max(left * right) = min(left) * min(right)
+          upper = true and
+          upperLeft = false and
+          upperRight = false
+          or
+          // min(left * right) = max(left) * max(right)
+          upper = false and
+          upperLeft = true and
+          upperRight = true
+        )
+      )
+    )
+  }
+
+  /**
+   * Holds if `isLeft = true` and `mul`'s left operand is bounded by `delta`,
+   * or if `isLeft = false` and `mul`'s right operand is bounded by `delta`.
+   *
+   * If `upper = true` the computed bound contributes to an upper bound of `mul`,
+   * and if `upper = false` it contributes to a lower bound.
+   * The `fromBackEdge`, `origdelta`, `reason` triple are defined by the recursive
+   * call to `bounded`.
+   */
+  pragma[nomagic]
+  private predicate boundedMulOperand(
+    SemMulExpr mul, boolean upper, boolean isLeft, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    exists(boolean upperLeft, boolean upperRight, SemExpr left, SemExpr right |
+      boundedMulOperandCand(mul, left, right, upper, upperLeft, upperRight)
+    |
+      isLeft = true and
+      bounded(left, any(SemZeroBound zb), delta, upperLeft, fromBackEdge, origdelta, reason)
+      or
+      isLeft = false and
+      bounded(right, any(SemZeroBound zb), delta, upperRight, fromBackEdge, origdelta, reason)
+    )
+  }
 }

cpp/ql/lib/qlpack.yml

@@ -8,3 +8,4 @@ upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  flowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }