Merge branch 'main' into rdmarsh2/swift/keypath-write-flow

Author: rdmarsh2

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -11,12 +11,12 @@
   <ItemGroup>
     <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
     <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.5.0" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
+    <PackageReference Include="xunit" Version="2.4.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
   </ItemGroup>
 
   <ItemGroup>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="17.7.2" />
+    <PackageReference Include="Microsoft.Build" Version="17.3.2" />
   </ItemGroup>
 
   <ItemGroup>

cpp/ql/lib/change-notes/2023-09-06-as-defining-argument-off-by-one-fix.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

cpp/ql/lib/change-notes/2023-09-07-return-from-end.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -254,9 +254,7 @@ class Node extends TIRDataFlowNode {
    * after the `f` has returned.
    */
   Expr asDefiningArgument(int index) {
-    // Subtract one because `DefinitionByReferenceNode` is defined to be in
-    // the range `[0 ... n - 1]` for some `n` instead of `[1 ... n]`.
-    this.(DefinitionByReferenceNode).getIndirectionIndex() = index - 1 and
+    this.(DefinitionByReferenceNode).getIndirectionIndex() = index and
     result = this.(DefinitionByReferenceNode).getArgument()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -405,9 +405,6 @@ predicate hasUnreachedInstruction(IRFunction func) {
   exists(Call c |
     c.getEnclosingFunction() = func.getFunction() and
     any(Options opt).exits(c.getTarget())
-  ) and
-  not exists(TranslatedUnreachableReturnStmt return |
-    return.getEnclosingFunction().getFunction() = func.getFunction()
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -442,29 +442,26 @@ class TranslatedReturnVoidStmt extends TranslatedReturnStmt {
 
 /**
  * The IR translation of an implicit `return` statement generated by the extractor to handle control
- * flow that reaches the end of a non-`void`-returning function body. Since such control flow
- * produces undefined behavior, we simply generate an `Unreached` instruction to prevent that flow
- * from continuing on to pollute other analysis. The assumption is that the developer is certain
- * that the implicit `return` is unreachable, even if the compiler cannot prove it.
+ * flow that reaches the end of a non-`void`-returning function body. Such control flow
+ * produces undefined behavior in C++ but not in C. However even in C using the return value is
+ * undefined behaviour. We make it return uninitialized memory to get as much flow as possible.
  */
-class TranslatedUnreachableReturnStmt extends TranslatedReturnStmt {
-  TranslatedUnreachableReturnStmt() {
+class TranslatedNoValueReturnStmt extends TranslatedReturnStmt, TranslatedVariableInitialization {
+  TranslatedNoValueReturnStmt() {
     not stmt.hasExpr() and hasReturnValue(stmt.getEnclosingFunction())
   }
 
-  override TranslatedElement getChild(int id) { none() }
-
-  override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    tag = OnlyInstructionTag() and
-    opcode instanceof Opcode::Unreached and
-    resultType = getVoidType()
+  final override Instruction getInitializationSuccessor() {
+    result = this.getEnclosingFunction().getReturnSuccessorInstruction()
   }
 
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+  final override Type getTargetType() { result = this.getEnclosingFunction().getReturnType() }
 
-  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+  final override TranslatedInitialization getInitialization() { none() }
+
+  final override IRVariable getIRVariable() {
+    result = this.getEnclosingFunction().getReturnVariable()
+  }
 }
 
 /**

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -6207,10 +6207,12 @@
 | ir.cpp:1286:25:1286:49 | ChiPartial | partial:m1286_7 |
 | ir.cpp:1286:25:1286:49 | ChiTotal | total:m1286_4 |
 | ir.cpp:1286:25:1286:49 | SideEffect | ~m1286_4 |
-| ir.cpp:1289:5:1289:22 | Address | &:r1289_9 |
+| ir.cpp:1289:5:1289:22 | Address | &:r1289_10 |
 | ir.cpp:1289:5:1289:22 | ChiPartial | partial:m1289_3 |
 | ir.cpp:1289:5:1289:22 | ChiTotal | total:m1289_2 |
-| ir.cpp:1289:5:1289:22 | Load | m1291_4 |
+| ir.cpp:1289:5:1289:22 | Load | m1289_9 |
+| ir.cpp:1289:5:1289:22 | Phi | from 2:m1291_4 |
+| ir.cpp:1289:5:1289:22 | Phi | from 3:m1293_2 |
 | ir.cpp:1289:5:1289:22 | SideEffect | m1289_3 |
 | ir.cpp:1289:29:1289:29 | Address | &:r1289_5 |
 | ir.cpp:1289:36:1289:36 | Address | &:r1289_7 |
@@ -6221,6 +6223,7 @@
 | ir.cpp:1291:16:1291:16 | Address | &:r1291_2 |
 | ir.cpp:1291:16:1291:16 | Load | m1289_8 |
 | ir.cpp:1291:16:1291:16 | StoreValue | r1291_3 |
+| ir.cpp:1293:1:1293:1 | Address | &:r1293_1 |
 | ir.cpp:1295:6:1295:15 | ChiPartial | partial:m1295_3 |
 | ir.cpp:1295:6:1295:15 | ChiTotal | total:m1295_2 |
 | ir.cpp:1295:6:1295:15 | SideEffect | ~m1296_8 |
@@ -8393,16 +8396,23 @@
 | ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_20 |
 | ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_4 |
 | ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_15 |
+| ir.cpp:1750:5:1750:34 | Address | &:r1750_5 |
 | ir.cpp:1750:5:1750:34 | ChiPartial | partial:m1750_3 |
 | ir.cpp:1750:5:1750:34 | ChiTotal | total:m1750_2 |
+| ir.cpp:1750:5:1750:34 | Load | m1755_2 |
+| ir.cpp:1750:5:1750:34 | SideEffect | ~m1754_10 |
 | ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
 | ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
 | ir.cpp:1751:51:1751:51 | Address | &:r1751_3 |
+| ir.cpp:1751:51:1751:51 | Address | &:r1751_3 |
 | ir.cpp:1751:51:1751:51 | Load | m1751_2 |
+| ir.cpp:1751:51:1751:51 | SideEffect | m1751_4 |
 | ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
 | ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
 | ir.cpp:1752:48:1752:48 | Address | &:r1752_3 |
+| ir.cpp:1752:48:1752:48 | Address | &:r1752_3 |
 | ir.cpp:1752:48:1752:48 | Load | m1752_2 |
+| ir.cpp:1752:48:1752:48 | SideEffect | m1752_4 |
 | ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
 | ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
 | ir.cpp:1753:40:1753:41 | Arg(this) | this:r1753_1 |
@@ -8435,6 +8445,7 @@
 | ir.cpp:1754:42:1754:42 | SideEffect | ~m1752_4 |
 | ir.cpp:1754:42:1754:42 | Unary | r1754_5 |
 | ir.cpp:1754:42:1754:42 | Unary | r1754_6 |
+| ir.cpp:1755:1:1755:1 | Address | &:r1755_1 |
 | ir.cpp:1757:6:1757:22 | ChiPartial | partial:m1757_3 |
 | ir.cpp:1757:6:1757:22 | ChiTotal | total:m1757_2 |
 | ir.cpp:1757:6:1757:22 | SideEffect | m1757_3 |
@@ -9588,22 +9599,27 @@
 | ir.cpp:2021:23:2021:40 | SideEffect | ~m2021_27 |
 | ir.cpp:2021:23:2021:40 | Unary | r2021_20 |
 | ir.cpp:2021:23:2021:40 | Unary | r2021_28 |
+| ir.cpp:2026:14:2026:22 | Address | &:r2026_7 |
 | ir.cpp:2026:14:2026:22 | ChiPartial | partial:m2026_3 |
 | ir.cpp:2026:14:2026:22 | ChiTotal | total:m2026_2 |
+| ir.cpp:2026:14:2026:22 | Load | m2031_2 |
+| ir.cpp:2026:14:2026:22 | SideEffect | ~m2028_6 |
 | ir.cpp:2026:37:2026:37 | Address | &:r2026_5 |
 | ir.cpp:2027:16:2027:16 | Address | &:r2027_1 |
-| ir.cpp:2028:3:2028:3 | Address | &:r2028_9 |
+| ir.cpp:2028:3:2028:3 | Address | &:r2028_10 |
 | ir.cpp:2028:7:2028:7 | Address | &:r2028_1 |
 | ir.cpp:2028:7:2028:7 | Left | r2028_2 |
 | ir.cpp:2028:7:2028:7 | Load | m2026_6 |
 | ir.cpp:2028:7:2028:13 | Condition | r2028_4 |
-| ir.cpp:2028:7:2030:28 | Address | &:r2028_7 |
-| ir.cpp:2028:7:2030:28 | Address | &:r2028_11 |
-| ir.cpp:2028:7:2030:28 | Address | &:r2028_13 |
-| ir.cpp:2028:7:2030:28 | Load | m2028_6 |
-| ir.cpp:2028:7:2030:28 | Phi | from 2:m2028_12 |
-| ir.cpp:2028:7:2030:28 | Phi | from 3:m2028_14 |
-| ir.cpp:2028:7:2030:28 | StoreValue | r2028_8 |
+| ir.cpp:2028:7:2030:28 | Address | &:r2028_8 |
+| ir.cpp:2028:7:2030:28 | Address | &:r2028_12 |
+| ir.cpp:2028:7:2030:28 | Address | &:r2028_14 |
+| ir.cpp:2028:7:2030:28 | Load | m2028_7 |
+| ir.cpp:2028:7:2030:28 | Phi | from 2:m2028_13 |
+| ir.cpp:2028:7:2030:28 | Phi | from 2:~m2029_6 |
+| ir.cpp:2028:7:2030:28 | Phi | from 3:m2028_15 |
+| ir.cpp:2028:7:2030:28 | Phi | from 3:~m2030_6 |
+| ir.cpp:2028:7:2030:28 | StoreValue | r2028_9 |
 | ir.cpp:2028:11:2028:13 | Right | r2028_3 |
 | ir.cpp:2029:6:2029:20 | CallTarget | func:r2029_1 |
 | ir.cpp:2029:6:2029:20 | ChiPartial | partial:m2029_5 |
@@ -9626,6 +9642,7 @@
 | ir.cpp:2030:22:2030:22 | Arg(0) | 0:r2030_3 |
 | ir.cpp:2030:22:2030:22 | Load | m2026_6 |
 | ir.cpp:2030:26:2030:27 | Unary | r2030_7 |
+| ir.cpp:2031:1:2031:1 | Address | &:r2031_1 |
 | ir.cpp:2033:6:2033:17 | ChiPartial | partial:m2033_3 |
 | ir.cpp:2033:6:2033:17 | ChiTotal | total:m2033_2 |
 | ir.cpp:2033:6:2033:17 | SideEffect | ~m2036_6 |
@@ -9721,8 +9738,11 @@
 | ir.cpp:2051:32:2051:32 | Address | &:r2051_7 |
 | ir.cpp:2051:32:2051:32 | Load | m2051_6 |
 | ir.cpp:2051:32:2051:32 | SideEffect | m2051_8 |
+| ir.cpp:2056:5:2056:18 | Address | &:r2056_5 |
 | ir.cpp:2056:5:2056:18 | ChiPartial | partial:m2056_3 |
 | ir.cpp:2056:5:2056:18 | ChiTotal | total:m2056_2 |
+| ir.cpp:2056:5:2056:18 | Load | m2066_2 |
+| ir.cpp:2056:5:2056:18 | SideEffect | ~m2065_6 |
 | ir.cpp:2058:12:2058:13 | Address | &:r2058_1 |
 | ir.cpp:2058:17:2058:27 | Address | &:r2058_4 |
 | ir.cpp:2058:17:2058:27 | Address | &:r2058_8 |
@@ -9796,6 +9816,7 @@
 | ir.cpp:2065:12:2065:12 | Address | &:r2065_2 |
 | ir.cpp:2065:12:2065:12 | Arg(0) | 0:r2065_3 |
 | ir.cpp:2065:12:2065:12 | Load | m2064_15 |
+| ir.cpp:2066:1:2066:1 | Address | &:r2066_1 |
 | ir.cpp:2070:6:2070:26 | ChiPartial | partial:m2070_3 |
 | ir.cpp:2070:6:2070:26 | ChiTotal | total:m2070_2 |
 | ir.cpp:2070:6:2070:26 | SideEffect | ~m2072_5 |

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -12,13 +12,15 @@ unnecessaryPhiInstruction
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+missingCanonicalLanguageType
+multipleCanonicalLanguageTypes
 containsLoopOfForwardEdges
+missingIRType
+multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
-| ir.cpp:1751:51:1751:51 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
-| ir.cpp:1752:48:1752:48 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
 | try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
 | try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
 | try_except.c:39:15:39:15 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
@@ -35,8 +37,4 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
-missingCanonicalLanguageType
-multipleCanonicalLanguageTypes
-missingIRType
-multipleIRTypes
 missingCppType