Merge pull request #14367 from github/henrymercer/rc-3.11-mergeback

Merge `rc/3.11` into `main`

Author: henrymercer

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.9.3
+
+No user-facing changes.
+
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
+
 ## 0.9.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md

@@ -0,0 +1,14 @@
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md

@@ -0,0 +1,3 @@
+## 0.9.3
+
+No user-facing changes.

cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.9.3

cpp/ql/lib/change-notes/2023-08-29-delete-ir.md

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.9.2-dev
+version: 0.10.0-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/change-notes/released/0.9.2.md

@@ -645,12 +645,24 @@ private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) {
   )
 }
 
+/**
+ * Holds if `nodeFrom` flows to `nodeTo` because there is `def-use` or
+ * `use-use` flow from `defOrUse` to `use`.
+ *
+ * `uncertain` is `true` if the `defOrUse` is an uncertain definition.
+ */
+private predicate localSsaFlow(
+  SsaDefOrUse defOrUse, Node nodeFrom, UseOrPhi use, Node nodeTo, boolean uncertain
+) {
+  nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
+  adjacentDefRead(defOrUse, use) and
+  useToNode(use, nodeTo) and
+  nodeFrom != nodeTo
+}
+
 private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
   exists(UseOrPhi use |
-    nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
-    adjacentDefRead(defOrUse, use) and
-    useToNode(use, nodeTo) and
-    nodeFrom != nodeTo
+    localSsaFlow(defOrUse, nodeFrom, use, nodeTo, uncertain)
     or
     // Initial global variable value to a first use
     nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and
@@ -728,15 +740,62 @@ private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
   )
 }
 
-/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
-predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
-  exists(UseOrPhi use, Node preUpdate |
+/**
+ * Holds if there is use-use flow from `pun`'s pre-update node to `n`.
+ */
+private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
+  exists(UseOrPhi use |
     adjustForPointerArith(pun, use) and
-    useToNode(use, nodeTo) and
+    useToNode(use, n)
+  )
+}
+
+private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) {
+  isArgumentOfCallable(call, n1) and
+  exists(Node mid | localSsaFlow(_, n1, _, mid, _) |
+    isArgumentOfCallable(call, mid) and
+    stepUntilNotInCall(call, mid, n2)
+    or
+    not isArgumentOfCallable(call, mid) and
+    mid = n2
+  )
+}
+
+bindingset[n1, n2]
+pragma[inline_late]
+private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) {
+  isArgumentOfCallable(call, n1) and isArgumentOfCallable(call, n2)
+}
+
+/**
+ * Holds if there is def-use or use-use flow from `pun` to `nodeTo`.
+ *
+ * Note: This is more complex than it sounds. Consider a call such as:
+ * ```cpp
+ * write_first_argument(x, x);
+ * sink(x);
+ * ```
+ * Assume flow comes out of the first argument to `write_first_argument`. We
+ * don't want flow to go to the `x` that's also an argument to
+ * `write_first_argument` (because we just flowed out of that function, and we
+ * don't want to flow back into it again).
+ *
+ * We do, however, want flow from the output argument to `x` on the next line, and
+ * similarly we want flow from the second argument of `write_first_argument` to `x`
+ * on the next line.
+ */
+predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
+  exists(Node preUpdate, Node mid |
     preUpdate = pun.getPreUpdateNode() and
-    not exists(DataFlowCall call |
-      isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo)
+    postUpdateNodeToFirstUse(pun, mid)
+  |
+    exists(DataFlowCall call |
+      isArgumentOfSameCall(call, preUpdate, mid) and
+      stepUntilNotInCall(call, mid, nodeTo)
     )
+    or
+    not isArgumentOfSameCall(_, preUpdate, mid) and
+    nodeTo = mid
   )
 }
 

cpp/ql/lib/change-notes/released/0.9.3.md

@@ -1,3 +1,19 @@
+## 0.7.5
+
+No user-facing changes.
+
+## 0.7.4
+
+### New Queries
+
+* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
+
+### Minor Analysis Improvements
+
+* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
+* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
+* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
+
 ## 0.7.3
 
 No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,11 @@
+## 0.7.4
+
+### New Queries
+
+* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
+
+### Minor Analysis Improvements
+
+* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
+* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
+* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.

cpp/ql/lib/qlpack.yml

@@ -0,0 +1,3 @@
+## 0.7.5
+
+No user-facing changes.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.7.5

cpp/ql/src/CHANGELOG.md

@@ -1,12 +1,12 @@
 name: codeql/cpp-queries
-version: 0.7.4-dev
-groups: 
+version: 0.8.0-dev
+groups:
   - cpp
   - queries
 dependencies:
-    codeql/cpp-all: ${workspace}
-    codeql/suite-helpers: ${workspace}
-    codeql/util: ${workspace}
+  codeql/cpp-all: ${workspace}
+  codeql/suite-helpers: ${workspace}
+  codeql/util: ${workspace}
 suites: codeql-suites
 extractor: cpp
 defaultSuiteFile: codeql-suites/cpp-code-scanning.qls

cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md

@@ -1,4 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
-failures
 testFailures
+failures

cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md

@@ -788,4 +788,12 @@ void test_sometimes_calls_sink_switch() {
   sometimes_calls_sink_switch(source(), 1);
   sometimes_calls_sink_switch(0, 0);
   sometimes_calls_sink_switch(source(), 0);
+}
+
+void intPointerSource(int *ref_source, const int* another_arg);
+
+void test() {
+  MyStruct a;
+  intPointerSource(a.content, a.content);
+  indirect_sink(a.content); // $ ast ir
 }

cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md

@@ -46,3 +46,6 @@
 | test.cpp:595:8:595:9 | xs | test.cpp:597:9:597:10 | xs |
 | test.cpp:733:7:733:7 | x | test.cpp:734:41:734:41 | x |
 | test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x |
+| test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
+| test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
+| test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |

cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md

@@ -7,6 +7,7 @@ edges
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |

cpp/ql/src/change-notes/released/0.7.4.md

@@ -1,3 +1,11 @@
+## 1.6.5
+
+No user-facing changes.
+
+## 1.6.4
+
+No user-facing changes.
+
 ## 1.6.3
 
 No user-facing changes.

cpp/ql/src/change-notes/released/0.7.5.md

@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -0,0 +1,3 @@
+## 1.6.5
+
+No user-facing changes.

cpp/ql/src/qlpack.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.5

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected

@@ -1,9 +1,9 @@
 name: codeql/csharp-solorigate-all
-version: 1.6.4-dev
+version: 1.7.0-dev
 groups:
-    - csharp
-    - solorigate
+  - csharp
+  - solorigate
 library: true
 dependencies:
-    codeql/csharp-all: ${workspace}
+  codeql/csharp-all: ${workspace}
 warnOnImplicitThis: true

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1,3 +1,11 @@
+## 1.6.5
+
+No user-facing changes.
+
+## 1.6.4
+
+No user-facing changes.
+
 ## 1.6.3
 
 No user-facing changes.

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected

@@ -0,0 +1,3 @@
+## 1.6.5
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.5

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md

@@ -1,10 +1,10 @@
 name: codeql/csharp-solorigate-queries
-version: 1.6.4-dev
+version: 1.7.0-dev
 groups:
-    - csharp
-    - solorigate
+  - csharp
+  - solorigate
 defaultSuiteFile: codeql-suites/solorigate.qls
 dependencies:
-    codeql/csharp-all: ${workspace}
-    codeql/csharp-solorigate-all: ${workspace}
+  codeql/csharp-all: ${workspace}
+  codeql/csharp-solorigate-all: ${workspace}
 warnOnImplicitThis: true

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.5.md

@@ -1,3 +1,13 @@
+## 0.7.5
+
+No user-facing changes.
+
+## 0.7.4
+
+### Minor Analysis Improvements
+
+* The `--nostdlib` extractor option for the standalone extractor has been removed.
+
 ## 0.7.3
 
 ### Minor Analysis Improvements

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The `--nostdlib` extractor option for the standalone extractor has been removed.
+## 0.7.4
+
+### Minor Analysis Improvements
+
+* The `--nostdlib` extractor option for the standalone extractor has been removed.

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -0,0 +1,3 @@
+## 0.7.5
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.7.5