Merge branch 'main' into overrun-write-only-one-alert

Author: MathiasVP

.github/workflows/tree-sitter-extractor-test.yml

@@ -43,4 +43,4 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Run clippy
-        run: cargo clippy -- --no-deps # -D warnings
+        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

cpp/ql/lib/change-notes/2023-05-02-range-analysis-wrapper.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added an AST-based interface (`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -1,4 +1,7 @@
 import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
 private import codeql.util.Unit
 
 module ProductFlow {
@@ -352,32 +355,119 @@ module ProductFlow {
         pragma[only_bind_out](succ.getNode().getEnclosingCallable())
     }
 
+    private newtype TKind =
+      TInto(DataFlowCall call) {
+        intoImpl1(_, _, call) or
+        intoImpl2(_, _, call)
+      } or
+      TOutOf(DataFlowCall call) {
+        outImpl1(_, _, call) or
+        outImpl2(_, _, call)
+      } or
+      TJump()
+
+    private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      pred1.getNode().(ArgumentNode).getCall() = call and
+      succ1.getNode() instanceof ParameterNode
+    }
+
+    private predicate into1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TInto(call) and
+        intoImpl1(pred1, succ1, call)
+      )
+    }
+
+    private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      exists(ReturnKindExt returnKind |
+        succ1.getNode() = returnKind.getAnOutNode(call) and
+        pred1.getNode().(ReturnNodeExt).getKind() = returnKind
+      )
+    }
+
+    private predicate out1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
+      exists(DataFlowCall call |
+        outImpl1(pred1, succ1, call) and
+        kind = TOutOf(call)
+      )
+    }
+
+    private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      pred2.getNode().(ArgumentNode).getCall() = call and
+      succ2.getNode() instanceof ParameterNode
+    }
+
+    private predicate into2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TInto(call) and
+        intoImpl2(pred2, succ2, call)
+      )
+    }
+
+    private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      exists(ReturnKindExt returnKind |
+        succ2.getNode() = returnKind.getAnOutNode(call) and
+        pred2.getNode().(ReturnNodeExt).getKind() = returnKind
+      )
+    }
+
+    private predicate out2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
+      exists(DataFlowCall call |
+        kind = TOutOf(call) and
+        outImpl2(pred2, succ2, call)
+      )
+    }
+
     pragma[nomagic]
     private predicate interprocEdge1(
-      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1
+      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
+      TKind kind
     ) {
       Flow1::PathGraph::edges(pred1, succ1) and
       predDecl != succDecl and
       pred1.getNode().getEnclosingCallable() = predDecl and
-      succ1.getNode().getEnclosingCallable() = succDecl
+      succ1.getNode().getEnclosingCallable() = succDecl and
+      (
+        into1(pred1, succ1, kind)
+        or
+        out1(pred1, succ1, kind)
+        or
+        kind = TJump() and
+        not into1(pred1, succ1, _) and
+        not out1(pred1, succ1, _)
+      )
     }
 
     pragma[nomagic]
     private predicate interprocEdge2(
-      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2
+      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
+      TKind kind
     ) {
       Flow2::PathGraph::edges(pred2, succ2) and
       predDecl != succDecl and
       pred2.getNode().getEnclosingCallable() = predDecl and
-      succ2.getNode().getEnclosingCallable() = succDecl
+      succ2.getNode().getEnclosingCallable() = succDecl and
+      (
+        into2(pred2, succ2, kind)
+        or
+        out2(pred2, succ2, kind)
+        or
+        kind = TJump() and
+        not into2(pred2, succ2, _) and
+        not out2(pred2, succ2, _)
+      )
     }
 
     private predicate interprocEdgePair(
       Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
     ) {
-      exists(Declaration predDecl, Declaration succDecl |
-        interprocEdge1(predDecl, succDecl, pred1, succ1) and
-        interprocEdge2(predDecl, succDecl, pred2, succ2)
+      exists(Declaration predDecl, Declaration succDecl, TKind kind |
+        interprocEdge1(predDecl, succDecl, pred1, succ1, kind) and
+        interprocEdge2(predDecl, succDecl, pred2, succ2, kind)
       )
     }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -58,6 +58,9 @@ module Consistency {
     predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
       none()
     }
+
+    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
+    predicate identityLocalStepExclude(Node n) { none() }
   }
 
   private class RelevantNode extends Node {
@@ -287,4 +290,10 @@ module Consistency {
     not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
     msg = "Non-unique content approximation."
   }
+
+  query predicate identityLocalStep(Node n, string msg) {
+    simpleLocalFlowStep(n, n) and
+    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
+    msg = "Node steps to itself"
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -58,6 +58,9 @@ module Consistency {
     predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
       none()
     }
+
+    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
+    predicate identityLocalStepExclude(Node n) { none() }
   }
 
   private class RelevantNode extends Node {
@@ -287,4 +290,10 @@ module Consistency {
     not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
     msg = "Non-unique content approximation."
   }
+
+  query predicate identityLocalStep(Node n, string msg) {
+    simpleLocalFlowStep(n, n) and
+    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
+    msg = "Node steps to itself"
+  }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/RangeAnalysis.qll

@@ -0,0 +1,113 @@
+/**
+ * Provides an AST-based interface to the relative range analysis, which tracks bounds of the form
+ * `a <= b + delta` for expressions `a` and `b` and an integer offset `delta`.
+ */
+
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.controlflow.IRGuards
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.Bound as IRBound
+private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Holds if e is bounded by `b + delta`. The bound is an upper bound if
+ * `upper` is true, and can be traced back to a guard represented by `reason`.
+ */
+predicate bounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getUnconverted().getUnconvertedResultExpression() = e
+  |
+    semBounded(semExpr, b, delta, upper, reason)
+  )
+}
+
+/**
+ * Holds if e is bounded by `b + delta`. The bound is an upper bound if
+ * `upper` is true, and can be traced back to a guard represented by `reason`.
+ * The `Expr` may be a conversion.
+ */
+predicate convertedBounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getConverted().getConvertedResultExpression() = e
+  |
+    semBounded(semExpr, b, delta, upper, reason)
+  )
+}
+
+/**
+ * A reason for an inferred bound. This can either be `CondReason` if the bound
+ * is due to a specific condition, or `NoReason` if the bound is inferred
+ * without going through a bounding condition.
+ */
+class Reason instanceof SemReason {
+  /** Gets a string representation of this reason */
+  string toString() { none() }
+}
+
+/**
+ * A reason for an inferred bound that indicates that the bound is inferred
+ * without going through a bounding condition.
+ */
+class NoReason extends Reason instanceof SemNoReason {
+  override string toString() { result = "NoReason" }
+}
+
+/** A reason for an inferred bound pointing to a condition. */
+class CondReason extends Reason instanceof SemCondReason {
+  override string toString() { result = SemCondReason.super.toString() }
+
+  /** Gets the guard condition that caused the inferred bound */
+  GuardCondition getCond() {
+    result = super.getCond().(IRGuardCondition).getUnconvertedResultExpression()
+  }
+}
+
+/**
+ * A bound that may be inferred for an expression plus/minus an integer delta.
+ */
+class Bound instanceof IRBound::Bound {
+  /** Gets a string representation of this bound. */
+  string toString() { none() }
+
+  /** Gets an expression that equals this bound. */
+  Expr getAnExpr() { none() }
+
+  /** Gets an expression that equals this bound plus `delta`. */
+  Expr getAnExpr(int delta) { none() }
+
+  /** Gets a representative locaiton for this bound */
+  Location getLocation() { none() }
+}
+
+/**
+ * The bound that corresponds to the integer 0. This is used to represent all
+ * integer bounds as bounds are always accompanied by an added integer delta.
+ */
+class ZeroBound extends Bound instanceof IRBound::ZeroBound {
+  override string toString() { result = "0" }
+
+  override Expr getAnExpr(int delta) {
+    result = super.getInstruction(delta).getUnconvertedResultExpression()
+  }
+
+  override Location getLocation() { result instanceof UnknownDefaultLocation }
+}
+
+/**
+ * A bound corresponding to the value of an `Instruction`.
+ */
+class ValueNumberBound extends Bound instanceof IRBound::ValueNumberBound {
+  override string toString() { result = "ValueNumberBound" }
+
+  override Expr getAnExpr(int delta) {
+    result = super.getInstruction(delta).getUnconvertedResultExpression()
+  }
+
+  override Location getLocation() { result = IRBound::ValueNumberBound.super.getLocation() }
+
+  /** Gets the value number that equals this bound. */
+  GVN getValueNumber() { result = super.getValueNumber() }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -120,13 +120,6 @@ module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
     )
   }
 
-  /**
-   * Holds if `rix` is the number of input edges to `phi`.
-   */
-  private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
-    rix = max(int r | rankedPhiInput(phi, _, _, r))
-  }
-
   /**
    * Gets the remainder of `val` modulo `mod`.
    *
@@ -322,20 +315,4 @@ module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
       semExprModulus(rarg, b, val, mod) and isLeft = false
     )
   }
-
-  /**
-   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
-   * in an arbitrary 1-based numbering of the input edges to `phi`.
-   */
-  private predicate rankedPhiInput(
-    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
-  ) {
-    edge.phiInput(phi, inp) and
-    edge =
-      rank[r](SemSsaReadPositionPhiInputEdge e |
-        e.phiInput(phi, _)
-      |
-        e order by e.getOrigBlock().getUniqueId()
-      )
-  }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll

@@ -877,6 +877,22 @@ module RangeStage<
     )
   }
 
+  pragma[assume_small_delta]
+  pragma[nomagic]
+  private predicate boundedPhiRankStep(
+    SemSsaPhiNode phi, SemBound b, D::Delta delta, boolean upper, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason, int rix
+  ) {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      Utils::rankedPhiInput(phi, inp, edge, rix) and
+      boundedPhiCandValidForEdge(phi, b, delta, upper, fromBackEdge, origdelta, reason, inp, edge)
+    |
+      if rix = 1
+      then any()
+      else boundedPhiRankStep(phi, b, delta, upper, fromBackEdge, origdelta, reason, rix - 1)
+    )
+  }
+
   /**
    * Holds if `b + delta` is a valid bound for `phi`.
    * - `upper = true`  : `phi <= b + delta`
@@ -886,8 +902,9 @@ module RangeStage<
     SemSsaPhiNode phi, SemBound b, D::Delta delta, boolean upper, boolean fromBackEdge,
     D::Delta origdelta, SemReason reason
   ) {
-    forex(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge | edge.phiInput(phi, inp) |
-      boundedPhiCandValidForEdge(phi, b, delta, upper, fromBackEdge, origdelta, reason, inp, edge)
+    exists(int r |
+      Utils::maxPhiInputRank(phi, r) and
+      boundedPhiRankStep(phi, b, delta, upper, fromBackEdge, origdelta, reason, r)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll

@@ -138,3 +138,26 @@ module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::Ut
     not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
   }
 }
+
+/**
+ * Holds if `rix` is the number of input edges to `phi`.
+ */
+predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+  rix = max(int r | rankedPhiInput(phi, _, _, r))
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+ * in an arbitrary 1-based numbering of the input edges to `phi`.
+ */
+predicate rankedPhiInput(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+) {
+  edge.phiInput(phi, inp) and
+  edge =
+    rank[r](SemSsaReadPositionPhiInputEdge e |
+      e.phiInput(phi, _)
+    |
+      e order by e.getOrigBlock().getUniqueId()
+    )
+}