Merge branch 'main' into java/update-mad-decls-after-triage-2023-06-08T08-51-47

Author: Stephan Brandauer

.github/labeler.yml

@@ -11,7 +11,7 @@ Go:
   - change-notes/**/*go.*
 
 Java:
-  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
+  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
   - change-notes/**/*java.*
 
 JS:
@@ -20,7 +20,6 @@ JS:
 
 Kotlin:
   - java/kotlin-extractor/**/*
-  - java/kotlin-explorer/**/*
   - java/ql/test/kotlin/**/*
 
 Python:

CODEOWNERS

@@ -8,7 +8,6 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/kotlin-explorer/ @github/codeql-kotlin
 
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -422,12 +422,6 @@ private module Cached {
     )
   }
 
-  /** DEPRECATED: Alias for getInstructionAst */
-  cached
-  deprecated Language::AST getInstructionAST(Instruction instr) {
-    result = getInstructionAst(instr)
-  }
-
   cached
   Language::LanguageType getInstructionResultType(Instruction instr) {
     result = instr.(RawIR::Instruction).getResultLanguageType()
@@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
   // We don't support reusing SSA for any location that could create a `Chi` instruction.
 }
 
-/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
-deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
-
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSsa` module, which is then imported by PrintSSA.
@@ -1005,9 +996,6 @@ module DebugSsa {
   import DefUse
 }
 
-/** DEPRECATED: Alias for DebugSsa */
-deprecated module DebugSSA = DebugSsa;
-
 import CachedForDebugging
 
 cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll

@@ -73,9 +73,6 @@ module UnaliasedSsaInstructions {
   }
 }
 
-/** DEPRECATED: Alias for UnaliasedSsaInstructions */
-deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions;
-
 /**
  * Provides wrappers for the constructors of each branch of `TInstruction` that is used by the
  * aliased SSA stage.
@@ -107,6 +104,3 @@ module AliasedSsaInstructions {
     result = TAliasedSsaUnreachedInstruction(irFunc)
   }
 }
-
-/** DEPRECATED: Alias for AliasedSsaInstructions */
-deprecated module AliasedSSAInstructions = AliasedSsaInstructions;

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -422,12 +422,6 @@ private module Cached {
     )
   }
 
-  /** DEPRECATED: Alias for getInstructionAst */
-  cached
-  deprecated Language::AST getInstructionAST(Instruction instr) {
-    result = getInstructionAst(instr)
-  }
-
   cached
   Language::LanguageType getInstructionResultType(Instruction instr) {
     result = instr.(RawIR::Instruction).getResultLanguageType()
@@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
   // We don't support reusing SSA for any location that could create a `Chi` instruction.
 }
 
-/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
-deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
-
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSsa` module, which is then imported by PrintSSA.
@@ -1005,9 +996,6 @@ module DebugSsa {
   import DefUse
 }
 
-/** DEPRECATED: Alias for DebugSsa */
-deprecated module DebugSSA = DebugSsa;
-
 import CachedForDebugging
 
 cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) {
   not allocationEscapes(var)
 }
 
-/** DEPRECATED: Alias for canReuseSsaForVariable */
-deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1;
-
 private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
 
 private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
@@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation {
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }
 
-/** DEPRECATED: Alias for canReuseSsaForOldResult */
-deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
-
 /**
  * Represents a set of `MemoryLocation`s that cannot overlap with
  * `MemoryLocation`s outside of the set. The `VirtualVariable` will be

cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql

@@ -179,15 +179,34 @@ predicate isSinkImpl(
   pointerAddInstructionHasBounds(pai, sink1, sink2, delta)
 }
 
+/**
+ * Yields any instruction that is control-flow reachable from `instr`.
+ */
+bindingset[instr, result]
+pragma[inline_late]
+Instruction getASuccessor(Instruction instr) {
+  exists(IRBlock b, int instrIndex, int resultIndex |
+    result.getBlock() = b and
+    instr.getBlock() = b and
+    b.getInstruction(instrIndex) = instr and
+    b.getInstruction(resultIndex) = result
+  |
+    resultIndex >= instrIndex
+  )
+  or
+  instr.getBlock().getASuccessor+() = result.getBlock()
+}
+
 /**
  * Holds if `sink` is a sink for `InvalidPointerToDerefConfig` and `i` is a `StoreInstruction` that
  * writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
  * reads from an address that non-strictly upper-bounds `sink`.
  */
 pragma[inline]
 predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) {
-  exists(AddressOperand addr |
-    bounded1(addr.getDef(), sink.asInstruction(), delta) and
+  exists(AddressOperand addr, Instruction s |
+    s = sink.asInstruction() and
+    bounded1(addr.getDef(), s, delta) and
     delta >= 0 and
     i.getAnOperand() = addr
   |
@@ -247,7 +266,8 @@ newtype TMergedPathNode =
   TPathNodeSink(Instruction i) {
     exists(DataFlow::Node n |
       InvalidPointerToDerefFlow::flowTo(n) and
-      isInvalidPointerDerefSink(n, i, _, _)
+      isInvalidPointerDerefSink(n, i, _, _) and
+      i = getASuccessor(n.asInstruction())
     )
   }
 
@@ -377,15 +397,19 @@ predicate hasFlowPath(
 }
 
 from
-  MergedPathNode source, MergedPathNode sink, int k2, int k3, string kstr,
-  InvalidPointerToDerefFlow::PathNode source3, PointerArithmeticInstruction pai, string operation,
-  Expr offset, DataFlow::Node n
+  MergedPathNode source, MergedPathNode sink, int k, string kstr, PointerArithmeticInstruction pai,
+  string operation, Expr offset, DataFlow::Node n
 where
-  hasFlowPath(source, sink, source3, pai, operation, k3) and
-  invalidPointerToDerefSource(pai, source3.getNode(), k2) and
+  k =
+    min(int k2, int k3, InvalidPointerToDerefFlow::PathNode source3 |
+      hasFlowPath(source, sink, source3, pai, operation, k3) and
+      invalidPointerToDerefSource(pai, source3.getNode(), k2)
+    |
+      k2 + k3
+    ) and
   offset = pai.getRight().getUnconvertedResultExpression() and
   n = source.asPathNode1().getNode() and
-  if (k2 + k3) = 0 then kstr = "" else kstr = " + " + (k2 + k3)
+  if k = 0 then kstr = "" else kstr = " + " + k
 select sink, source, sink,
   "This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr +
     ".", n, n.toString(), offset, offset.toString()