Merge branch 'main' into tuples

Author: geoffw0

.github/workflows/compile-queries.yml

@@ -24,21 +24,21 @@ jobs:
         run: |
           MERGE_BASE=$(git merge-base --fork-point origin/$BASE_BRANCH)
           echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
-      - name: Calculate merge-base - branch
-        if: ${{ github.event_name != 'pull_request' }}
-        # using github.sha instead, since we're directly on a branch, and not in a PR
-        run: |
-          MERGE_BASE=${{ github.sha }}
-          echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
-      - name: Cache CodeQL query compilation
+      - name: Read CodeQL query compilation - PR
+        if: ${{ github.event_name == 'pull_request' }}
         uses: actions/cache@v3
         with:
           path: '*/ql/src/.cache'
-          # current GH HEAD first, merge-base second, generic third
-          key: codeql-stable-compile-${{ github.sha }}
+          key: codeql-compile-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
           restore-keys: |
-            codeql-stable-compile-${{ env.merge-base }}
-            codeql-stable-compile-
+            codeql-compile-main-${{ env.merge-base }}
+            codeql-compile-main-
+      - name: Fill CodeQL query compilation cache - main
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/cache@v3
+        with:
+          path: '*/ql/src/.cache'
+          key: codeql-compile-main-${{ github.sha }} # just fill on main
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:

.github/workflows/swift.yml

@@ -51,12 +51,14 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/create-extractor-pack
       - uses: ./swift/actions/run-quick-tests
+      - uses: ./swift/actions/print-unextracted
   build-and-test-linux:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/create-extractor-pack
       - uses: ./swift/actions/run-quick-tests
+      - uses: ./swift/actions/print-unextracted
   qltests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -50,19 +50,18 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and
-    input.isParameter(2) and
-    output.isParameterDeref(0)
-    or
-    this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and
-    input.isParameter(3) and
-    output.isParameterDeref(0)
-    or
-    input.isParameterDeref(0) and
-    output.isParameterDeref(0)
-    or
-    input.isParameterDeref(1) and
-    output.isParameterDeref(0)
+    (
+      this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and
+      input.isParameter(2)
+      or
+      this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and
+      input.isParameter(3)
+      or
+      input.isParameterDeref(0)
+      or
+      input.isParameterDeref(1)
+    ) and
+    (output.isParameterDeref(0) or output.isReturnValueDeref())
   }
 
   override predicate hasArrayInput(int param) {

cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql

@@ -13,11 +13,18 @@
 
 import cpp
 
-from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given
+from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given, string ffcName
 where
   ffc = fl.getUse() and
   expected = fl.getNumArgNeeded() and
   given = ffc.getNumFormatArgument() and
   expected < given and
-  fl.specsAreKnown()
-select ffc, "Format expects " + expected.toString() + " arguments but given " + given.toString()
+  fl.specsAreKnown() and
+  (
+    if ffc.isInMacroExpansion()
+    then ffcName = ffc.getTarget().getName() + " (in a macro expansion)"
+    else ffcName = ffc.getTarget().getName()
+  )
+select ffc,
+  "Format for " + ffcName + " expects " + expected.toString() + " arguments but given " +
+    given.toString()

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -16,11 +16,18 @@
 
 import cpp
 
-from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given
+from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given, string ffcName
 where
   ffc = fl.getUse() and
   expected = fl.getNumArgNeeded() and
   given = ffc.getNumFormatArgument() and
   expected > given and
-  fl.specsAreKnown()
-select ffc, "Format expects " + expected.toString() + " arguments but given " + given.toString()
+  fl.specsAreKnown() and
+  (
+    if ffc.isInMacroExpansion()
+    then ffcName = ffc.getTarget().getName() + " (in a macro expansion)"
+    else ffcName = ffc.getTarget().getName()
+  )
+select ffc,
+  "Format for " + ffcName + " expects " + expected.toString() + " arguments but given " +
+    given.toString()

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -87,4 +87,7 @@ postWithInFlow
 | test.cpp:465:3:465:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:465:4:465:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:470:22:470:22 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:499:4:499:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:505:35:505:35 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -582,6 +582,13 @@ postWithInFlow
 | test.cpp:489:7:489:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:491:5:491:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:494:5:494:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:499:4:499:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:499:4:499:4 | p [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:504:7:504:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:505:35:505:35 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:9:7:9:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:10:12:10:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:10:27:10:27 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -494,3 +494,14 @@ void regression_with_phi_flow(int clean1) {
     x = source();
   }
 }
+
+int intOutparamSourceMissingReturn(int *p) {
+  *p = source();
+  // return deliberately omitted to test IR dataflow behavior
+}
+
+void viaOutparamMissingReturn() {
+  int x = 0;
+  intOutparamSourceMissingReturn(&x);
+  sink(x); // $ ast,ir
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/true_upon_entry.cpp

@@ -5,31 +5,31 @@ int source();
 void sink(...);
 bool random();
 
-int test1() {
+void test1() {
   int x = source();
   for (int i = 0; i < 10; i++) {
     x = 0;
   }
   sink(x); // $ SPURIOUS: ir
 }
 
-int test2(int iterations) {
+void test2(int iterations) {
   int x = source();
   for (int i = 0; i < iterations; i++) {
     x = 0;
   }
   sink(x); // $ ast,ir
 }
 
-int test3() {
+void test3() {
   int x = 0;
   for (int i = 0; i < 10; i++) {
     x = source();
   }
   sink(x); // $ ast,ir
 }
 
-int test4() {
+void test4() {
   int x = source();
   for (int i = 0; i < 10; i++) {
     if (random())
@@ -39,7 +39,7 @@ int test4() {
   sink(x); // $ ast,ir
 }
 
-int test5() {
+void test5() {
   int x = source();
   for (int i = 0; i < 10; i++) {
     if (random())
@@ -49,15 +49,15 @@ int test5() {
   sink(x); // $ ast,ir
 }
 
-int test6() {
+void test6() {
   int y;
   int x = source();
   for (int i = 0; i < 10 && (y = 1); i++) {
   }
   sink(x); // $ ast,ir
 }
 
-int test7() {
+void test7() {
   int y;
   int x = source();
   for (int i = 0; i < 10 && (y = 1); i++) {
@@ -66,7 +66,7 @@ int test7() {
   sink(x); // $ SPURIOUS: ir
 }
 
-int test8() {
+void test8() {
   int x = source();
   // It appears to the analysis that the condition can exit after `i < 10`
   // without having assigned to `x`. That is an effect of how the
@@ -78,29 +78,29 @@ int test8() {
   sink(x); // $ SPURIOUS: ast,ir
 }
 
-int test9() {
+void test9() {
   int y;
   int x = source();
   for (int i = 0; (y = 1) && i < 10; i++) {
   }
   sink(x); // $ ast,ir
 }
 
-int test10() {
+void test10() {
   int x = source();
   for (int i = 0; (x = 1) && i < 10; i++) {
   }
   sink(x); // no flow
 }
 
-int test10(int b, int d) {
+void test10(int b, int d) {
   int i = 0;
   int x = source();
   if (b)
     goto L;
   for (; i < 10; i += d) {
     x = 0;
-    L:
+    L: ;
   }
   sink(x); // $ ir MISSING: ast
 }

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -5964,6 +5964,7 @@
 | taint.cpp:172:10:172:15 | buffer | taint.cpp:172:3:172:8 | call to strcat |  |
 | taint.cpp:172:10:172:15 | buffer | taint.cpp:172:10:172:15 | ref arg buffer | TAINT |
 | taint.cpp:172:10:172:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
+| taint.cpp:172:18:172:24 | tainted | taint.cpp:172:3:172:8 | call to strcat | TAINT |
 | taint.cpp:172:18:172:24 | tainted | taint.cpp:172:10:172:15 | ref arg buffer | TAINT |
 | taint.cpp:180:19:180:19 | p | taint.cpp:180:19:180:19 | p |  |
 | taint.cpp:180:19:180:19 | p | taint.cpp:181:9:181:9 | p |  |
@@ -6373,12 +6374,14 @@
 | taint.cpp:561:9:561:13 | dest1 | taint.cpp:561:9:561:13 | ref arg dest1 | TAINT |
 | taint.cpp:561:9:561:13 | ref arg dest1 | taint.cpp:560:24:560:28 | dest1 |  |
 | taint.cpp:561:9:561:13 | ref arg dest1 | taint.cpp:562:7:562:11 | dest1 |  |
+| taint.cpp:561:16:561:21 | source | taint.cpp:561:2:561:7 | call to strcat | TAINT |
 | taint.cpp:561:16:561:21 | source | taint.cpp:561:9:561:13 | ref arg dest1 | TAINT |
 | taint.cpp:562:7:562:11 | ref arg dest1 | taint.cpp:560:24:560:28 | dest1 |  |
 | taint.cpp:564:9:564:13 | dest2 | taint.cpp:564:2:564:7 | call to strcat |  |
 | taint.cpp:564:9:564:13 | dest2 | taint.cpp:564:9:564:13 | ref arg dest2 | TAINT |
 | taint.cpp:564:9:564:13 | ref arg dest2 | taint.cpp:560:37:560:41 | dest2 |  |
 | taint.cpp:564:9:564:13 | ref arg dest2 | taint.cpp:565:7:565:11 | dest2 |  |
+| taint.cpp:564:16:564:20 | clean | taint.cpp:564:2:564:7 | call to strcat | TAINT |
 | taint.cpp:564:16:564:20 | clean | taint.cpp:564:9:564:13 | ref arg dest2 | TAINT |
 | taint.cpp:565:7:565:11 | ref arg dest2 | taint.cpp:560:37:560:41 | dest2 |  |
 | taint.cpp:572:37:572:41 | dest1 | taint.cpp:572:37:572:41 | dest1 |  |
@@ -6405,9 +6408,12 @@
 | taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:572:37:572:41 | dest1 |  |
 | taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:575:7:575:11 | dest1 |  |
 | taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:576:8:576:12 | dest1 |  |
+| taint.cpp:574:43:574:45 | ptr | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:574:43:574:45 | ptr | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
+| taint.cpp:574:48:574:48 | n | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:574:48:574:48 | n | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
 | taint.cpp:574:51:574:56 | ref arg source | taint.cpp:573:49:573:54 | source |  |
+| taint.cpp:574:51:574:56 | source | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:574:51:574:56 | source | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
 | taint.cpp:575:7:575:11 | ref arg dest1 | taint.cpp:572:37:572:41 | dest1 |  |
 | taint.cpp:575:7:575:11 | ref arg dest1 | taint.cpp:576:8:576:12 | dest1 |  |
@@ -6421,8 +6427,11 @@
 | taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:572:85:572:89 | dest3 |  |
 | taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:581:7:581:11 | dest3 |  |
 | taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:582:8:582:12 | dest3 |  |
+| taint.cpp:580:43:580:45 | ptr | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:580:43:580:45 | ptr | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
+| taint.cpp:580:48:580:48 | n | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:580:48:580:48 | n | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
+| taint.cpp:580:51:580:55 | clean | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
 | taint.cpp:580:51:580:55 | clean | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
 | taint.cpp:580:51:580:55 | ref arg clean | taint.cpp:573:32:573:36 | clean |  |
 | taint.cpp:581:7:581:11 | ref arg dest3 | taint.cpp:572:85:572:89 | dest3 |  |