github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
3 043 коммитов 1 541 ветка 130 Теги 483 MiB
Граф коммитов

986 Коммитов

Автор SHA1 Сообщение Дата
Jonas Jensen 9219214d64
Merge pull request #695 from raulgarciamsft/users/raulga/c6324 
cpp - Using the return value of a strcpy or related string copy function in an if statement
 2019-01-10 08:34:17 +01:00
Geoffrey White 7a877bfe14 CPP: Add exception for wrapped whitelisted functions. 2019-01-09 18:30:19 +00:00
Geoffrey White f983391cbf CPP: Add exception for pow. 2019-01-09 15:06:23 +00:00
Geoffrey White 11013b0ec6 CPP: Add a few more test cases. 2019-01-09 14:58:25 +00:00
Ian Lynagh 7a0ed57916 C++: Add namespace_inline 2019-01-09 14:47:27 +00:00
Geoffrey White 82e54568a5 CPP: Add qhelp. 2019-01-09 14:03:28 +00:00
Jonas Jensen 9146b8e32e C++: Add example of conditional destruction 
The QL CFG and extractor CFG are the same, so the test passes. Neither
of them model that `ref` may or may not be destructed.
 2019-01-09 15:02:25 +01:00
Jonas Jensen 8ac826a62a C++: Factor out base case of normalGroupMember 
This recursive predicate is made faster by working around a known
optimizer problem (QL-796) that causes the optimizer to insert extra
type checks in recursive case even when they are only needed in the
base case.
 2019-01-09 15:02:25 +01:00
Geoffrey White cbe69f2daf CPP: Fix false positive. 2019-01-09 13:59:24 +00:00
Geoffrey White e26c709dbf CPP: Add a test for LossyFunctionResultCast.ql. 2019-01-09 13:59:24 +00:00
Geoffrey White 0e092ae88d CPP: Tag LossyFunctionResultCast.ql. Will be run on LGTM. 2019-01-09 13:59:24 +00:00
Jonas Jensen c74b89119e C++: Reorder parameters to subEdge relations 
This improves performance slightly by putting the parameters in the
order in which they'll be needed in `qlCFGSuccessor`.
 2019-01-09 14:58:43 +01:00
ian-semmle b3bcabf7c6
Merge pull request #724 from jbj/cfg-pr 
C++: Construct a CFG with QL
 2019-01-09 13:12:39 +00:00
Geoffrey White 6088ca5d5b CPP: Update our uses of MacroInvocationExpr. 2019-01-09 12:17:29 +00:00
Geoffrey White b59c2868cd CPP: Add test cases for the macro logic and other details of ArithmeticUncontrolled.ql. 2019-01-09 12:17:29 +00:00
Geoffrey White a1caa85172 CPP: Deprecate MacroInvocationExpr. 2019-01-09 11:45:08 +00:00
Geoffrey White 75b1fb36ec CPP: Deprecate MacroInvocationStmt. 2019-01-09 11:45:08 +00:00
Robert Marsh c39de75d3d C++: change in-predicate comment formatting 2019-01-08 09:34:29 -08:00
Robert Marsh af8a3f2522 C++: expand a comment 2019-01-08 09:34:28 -08:00
Robert Marsh 0040a2d123 C++: respond to further PR comments 2019-01-08 09:34:28 -08:00
Robert Marsh 8c9c316e1b C++: performance and termination fixes 2019-01-08 09:34:27 -08:00
Robert Marsh 567eee1114 C++: allow phi nodes to self-bound 2019-01-08 09:34:27 -08:00
Robert Marsh b2cd9a29f2 C++: add test for false comparisons 2019-01-08 09:34:26 -08:00
Robert Marsh 2f8ca8802b C++: switch to using ValueNumbers as bounds 
This reduces the number of bounds computed, and will simplify use of the
library. The resulting locations in the tests may be slightly strange,
because the example `Instruction` for a `ValueNumber` is the first
appearing in the IR, regardless of source order, and may not be the most
closely related `Instruction` to the bounded value. I think that's worth
doing for the performance and usability benefits.
 2019-01-08 09:34:26 -08:00
Robert Marsh 89148a9ec7 C++: respond to further PR comments 2019-01-08 09:34:26 -08:00
Robert Marsh ae4ffd9166 C++: respond to PR comments, add some TODOs 2019-01-08 09:34:25 -08:00
Robert Marsh fe32aea31f C++: fix/add comments 2019-01-08 09:34:25 -08:00
Robert Marsh ed68f9150a C++: Initial implementation of new range analysis 2019-01-08 09:34:23 -08:00
Robert Marsh a06a20dbab C++: move SimpleRangeAnalysis tests 2019-01-08 09:34:23 -08:00
Jonas Jensen 1be91b5df5 C++: Use IPA for Pos and Spec 
This is cleaner than extending `int` and working with magic numbers.
Performance appears to be unaffected.
 2019-01-08 16:23:11 +01:00
Jonas Jensen dba3351d2c C++: Update comments based on PR feedback 2019-01-08 13:29:03 +01:00
Raul Garcia 18bb6696e0 Fixing conditional only issue. 
I changed  to detect any logical operation usage (i.e. !, ==), but I kept usage in a conditional directly as a separate detection condition. I found no false positives on the projects you shared with me previously.
 2019-01-07 10:44:11 -08:00
Raul Garcia 880306c621 Removing duplicated results 2019-01-04 10:45:43 -08:00
Jonas Jensen 26f32f0d6d C++: Initial version of CFG.qll 
This implements calculation of the control-flow graph in QL. The new
code is not enabled yet as we'll need more extractor changes first.

The `SyntheticDestructorCalls.qll` file is a temporary solution that can
be removed when the extractor produces this information directly.
 2019-01-04 13:34:36 +01:00
Max Schaefer b4f400fb23 Merge remote-tracking branch 'upstream/next' into qlucie/master 2019-01-04 10:35:57 +00:00
Jonas Jensen a47faa2272 C++: Add ConditionDeclExpr convenience predicates 
Also expand the QLDoc.
 2019-01-04 10:24:08 +01:00
Jonas Jensen ca0517b3d6 C++: LocalVariable docs 2019-01-04 10:24:08 +01:00
Jonas Jensen 8f9849b30b C++: Add BuiltInIntAddr class for __INTADDR__ 2019-01-04 10:24:08 +01:00
Jonas Jensen 79e246f961
Merge pull request #722 from geoffw0/doc-macroinv 
CPP: Improve qldoc for MacroAccess and MacroInvocation.
 2019-01-04 08:40:37 +01:00
Ian Lynagh 187fdf67b0 C++: Rename `twoOperand` to `isTwoOperand` 2019-01-03 21:09:49 +00:00
Ian Lynagh 98e8858dc6 C++: Accept test changes 2019-01-03 21:09:49 +00:00
Ian Lynagh 283eb51db8 C++: Update stats after adding expr_cond* tables 2019-01-03 21:09:49 +00:00
Ian Lynagh dc3d87f2fc C++: Add tables for ConditionalExprs 2019-01-03 21:09:49 +00:00
Raul Garcia 89c045b550 Merge branch 'users/raulga/c6324' of https://github.com/raulgarciamsft/ql into users/raulga/c6324 2019-01-03 10:06:59 -08:00
Raul Garcia 2c1d7bbc41 Switched to DataFlow::localFlow to avoid false positives. 2019-01-03 10:06:49 -08:00
Geoffrey White 787febae6e CPP: Improve qldoc for MacroAccess and MacroInvocation. 2019-01-03 15:16:47 +00:00
Jonas Jensen b17fb86961 C++: Factor out `reachable` base case 2019-01-03 11:20:18 +01:00
Raul Garcia e7bc3e6c0d
Update UsingStrcpyAsBoolean.cpp 2019-01-02 17:33:28 -08:00
Raul Garcia 28932e85d9 Fixing the code based on PR feedback. 2019-01-02 16:23:19 -08:00
Jonas Jensen d566141273
Merge pull request #694 from dave-bartolomeo/dave/BetterUnreached 
C++: Remove infeasible edges to reachable blocks
 2018-12-21 07:36:51 +00:00
Dave Bartolomeo a7cb2d6d7c C++: Ignore `Unreached` blocks in IR Guards 2018-12-20 11:57:25 -08:00
Dave Bartolomeo 63a2670fcd C++: Don't have `ReachableBlock` extends `IRBlock` 2018-12-17 13:10:53 -08:00
Dave Bartolomeo fda8605aae C++: One `Unreached` per function 2018-12-17 11:03:15 -08:00
alexet d61022ffcc C++: Improve optimiser performance 2018-12-17 16:11:23 +00:00
Jonas Jensen 5ac5aa0c2a Merge remote-tracking branch 'upstream/master' into mergeback-20181217 2018-12-17 13:42:45 +01:00
Raul Garcia f8ab945b91
Merge branch 'master' into users/raulga/c6324 2018-12-14 15:46:38 -08:00
Raul Garcia 16f2bacf4d cpp - Using the return value of a strcpy or related string copy function in an if statement 2018-12-14 15:42:49 -08:00
Dave Bartolomeo 56bb9dcde0 C++: Remove infeasible edges to reachable blocks 
The existing unreachable IR removal code only retargeted an infeasible edge to an `Unreached` instruction if the successor of the edge was an unreachable block. This is too conservative, because it doesn't remove an infeasible edge that targets a block that is still reachable via other paths. The trivial example of this is `do { } while (false);`, where the back edge is infeasible, but the body block is still reachable from the loop entry.

This change retargets all infeasible edges to `Unreached` instructions, regardless of the reachability of the successor block.
 2018-12-14 12:13:22 -08:00
Jonas Jensen 23a2bf1756 C++: Delete dead code with warnings in it 2018-12-14 10:59:41 +00:00
Aditya Sharad f71e5ac338 Merge master into next. 2018-12-13 17:57:31 +00:00
Geoffrey White b21e832ee2
Merge pull request #683 from jbj/prepareQueries-fix-warnings 
C++: Fix all prepareQueries errors and warnings
 2018-12-13 15:30:44 +00:00
Aditya Sharad ce8ca5979b Merge rc/1.19 into next. 2018-12-13 12:23:59 +00:00
Jonas Jensen bee2ddaf26 C++: Fix all prepareQueries errors and warnings 
With these changes we can run `odasa prepareQueries --check-only
--fail-on-warnings` on the C++ query directory. Two changes were needed:

1. The `Metrics/queries.xml` file had to be deleted. It existed because
   the built distribution has a different file layout, where `Metrics`
   is moved to the top-level query dir `odasa-cpp-metrics`. Since
   internal PR 28230 this file is created as needed as part of the dist
   build process, so it doesn't need to be checked in with the sources.
2. All uses of the `deprecated` and stubbed-out Objective C classes were
   removed.
 2018-12-13 11:13:50 +00:00
Jonas Jensen 1a0a8c931f C++: Fix name clash in data flow imports 
The AST-based data flow libraries and the IR-based ones both define
modules `DataFlow`, `DataFlow2`, etc. This caused
`ImportAdditionalLibraries.ql` to fail in compilation.
 2018-12-13 09:53:20 +00:00
Geoffrey White e443eb8889 CPP: Fix type logic. 2018-12-13 09:49:32 +00:00
Geoffrey White c904a338f7 CPP: Add test cases. 2018-12-12 23:47:48 +00:00
Aditya Sharad f92456fcad Merge master into next. 
Conflict in `cpp/ql/test/library-tests/sideEffects/functions/sideEffects.expected`,
resolved by accepting test output (combining changes).
 2018-12-12 17:26:18 +00:00
Geoffrey White 2f3a874c7d CPP: Fix false positives when a member variable is released via the target of a function pointer. 2018-12-12 11:38:44 +00:00
Geoffrey White 370387a9ca CPP: Fix false positives when member variable is released via an ExprCall. 2018-12-12 11:38:44 +00:00
Geoffrey White e408f18766 CPP: Fix false positives when member variable is released via capture inside lambda expression. 2018-12-12 11:38:44 +00:00
Geoffrey White 6efd481118 CPP: Make references to the 'kind' of an alloc/delete consistent (this used to be called the 'release' or 'releaseName'). 2018-12-12 11:38:44 +00:00
Geoffrey White 8e2459a6b7 CPP: Add similar test cases with function pointers. 2018-12-12 11:38:44 +00:00
Geoffrey White 77c1ad47f9 CPP: Add test cases with lambdas. 2018-12-12 11:38:44 +00:00
Dave Bartolomeo be5ac2f2ff
Merge pull request #648 from dave-bartolomeo/dave/UnreachableIR 
C++: Remove unreachable IR
 2018-12-11 20:58:49 -08:00
Dave Bartolomeo 0140cd23d0 C++: Accept correct test output 2018-12-11 17:11:51 -08:00
Dave Bartolomeo 283c1d43c3 C++: Restore previous test expectations 2018-12-11 17:07:25 -08:00
Robert Marsh 59c0e5d39e C++: update test expectations 2018-12-11 15:07:09 -08:00
Robert Marsh 98005edd9d
Merge pull request #641 from geoffw0/exprnoeffect2 
CPP: More tests of isSideEffectFree() / ExprHasNoEffect.ql
 2018-12-11 12:17:30 -08:00
Aditya Sharad ce905e7a0a
Merge pull request #597 from dave-bartolomeo/dave/IRDataflow 
C++: Initial IR-based dataflow implementation
 2018-12-11 15:05:58 +00:00
Aditya Sharad dde42a5723 Merge rc/1.19 into next. 2018-12-11 14:38:58 +00:00
Dave Bartolomeo 8a73bea72f C++: Avoid bad join ordering in `getOperandMemoryAccess` 2018-12-11 00:47:53 -08:00
Dave Bartolomeo 4170d4fadd C++: Handle relational operators in constant analysis 2018-12-10 23:03:02 -08:00
Dave Bartolomeo 5ba51e32f0 C++: Remove aliased_ssa instantiation of IR reachability 
We never actually consumed this iteration, since SSA construction only depends on the reachability instantiation of the previous IR layer.
 2018-12-10 21:22:55 -08:00
Dave Bartolomeo a81ba84c0e C++: Update test expectations after unreachable IR removal 2018-12-10 21:22:55 -08:00
Dave Bartolomeo b2e596fcc2 C++: Improve join order in IR reachability 2018-12-10 21:22:55 -08:00
Dave Bartolomeo 99d33f9623 C++: Remove unreachable IR 
This change removes any IR instructions that can be statically proven unreachable. To detect unreachable IR, we first run a simple constant value analysis on the IR. Then, any `ConditionalBranch` with a constant condition has the appropriate edge marked as "infeasible". We define a class `ReachableBlock` as any `IRBlock` with a path from the entry block of the function. SSA construction has been modified to operate only on `ReachableBlock` and `ReachableInstruction`, which ensures that only reachable IR gets translated into SSA form. For any infeasible edge where its predecessor block is reachable, we replace the original target of the branch with an `Unreached` instruction, which lets us preserve the invariant that all `ConditionalBranch` instructions have both a true and a false edge, and allows guard inference to still work.

The changes to `SSAConstruction.qll` are not as scary as they look. They are almost entirely a mechanical replacement of `OldIR::IRBlock` with `OldBlock`, which is just an alias for `ReachableBlock`.

Note that the `constant_func.ql` test can determine that the two new test functions always return 0.

Removing unreachable code helps get rid of some common FPs in IR-based dataflow analysis, especially for constructs like `while(true)`.
 2018-12-10 21:22:55 -08:00
Dave Bartolomeo 59fc77f066 C++: Simple constant analysis 
This change moves the simple constant analysis that was used by the const_func test into a pyrameterized module for use on any stage of the IR. This will be used to detect unreachable code.
 2018-12-10 21:22:54 -08:00
Dave Bartolomeo 6a11ef5c18 C++: Add a couple test cases for unreachable code in IR 2018-12-10 21:22:54 -08:00
Dave Bartolomeo 78e5b3ad63 C++: Add IR dataflow to ImportAdditionalQueries.ql 2018-12-10 15:09:49 -08:00
Dave Bartolomeo 23993710d1 Revert "C++: Avoid creating `ExprNode`s for `Conversion`s" 
This reverts commit df882a9e72.
 2018-12-10 15:06:29 -08:00
Dave Bartolomeo df882a9e72 C++: Avoid creating `ExprNode`s for `Conversion`s 2018-12-10 10:09:42 -08:00
Aditya Sharad 02b58a8319
Merge pull request #625 from adityasharad/merge/1.19-next-051218 
Merge rc/1.19 into next.
 2018-12-10 10:05:16 +00:00
Geoffrey White 9857a85817 CPP: Fix similar queries. 2018-12-07 18:43:28 +00:00
Geoffrey White 0f268cac40 CPP: Fix the issue. 2018-12-07 18:43:27 +00:00
Geoffrey White 02a060fbfa CPP: Add a test. 2018-12-07 18:21:48 +00:00
Ian Lynagh 4f51257e56 C++: Update stats 2018-12-07 16:13:07 +00:00
Geoffrey White e7390f3ea5 CPP: Add simple tests of CommaExpr. 2018-12-07 14:29:09 +00:00
Aditya Sharad fcfab26267 Merge rc/1.19 into next. 2018-12-07 12:31:51 +00:00
Geoffrey White b1e7649d02 CPP: Add functions containing errors to the sideEffects tests. 2018-12-07 09:54:36 +00:00
Jonas Jensen 00e52df371 C++: Rename "Incorrect 'not' operator usage" 
This makes the casing consistent with our other queries.
 2018-12-07 09:24:35 +01:00
Dave Bartolomeo ebbd701188 C++: Fix PR feedback 2018-12-06 12:35:43 -08:00
Dave Bartolomeo 84b39bf999 C++: Simplify models for side effects and alias info. 2018-12-06 12:35:33 -08:00
Ian Lynagh 8d655c74ae C++: Follow range for statement test output changes 2018-12-06 11:12:46 +00:00
Dave Bartolomeo 2b80aee557 C++: Use `getConvertedResultExpr` in IR-based dataflow 
This sort of fixes one FP and causes a new FN, but for the wrong reasons. The IR dataflow is tracking the reference itself, rather than the referred-to object. Once we can better model indirections, we can make this work correctly.

This change is still the right thing to do, because it ensures that the dataflow is looking at actual expression being computed by the instruction.
 2018-12-05 12:34:44 -08:00
Dave Bartolomeo e8efb32156 C++: Remove `StoreDestinationAsPostUpdateNode` 2018-12-05 11:33:48 -08:00
Dave Bartolomeo 65360b23f9 C++: Change model API based on feedback 
I've separated the model interface for memory side effects from the model for escaped addresses. It will be fairly common for a given model to extend both interfaces, but they are used for two different purposes.

I've also put each model interface and the non-member predicates that query it into a named module, which seemed cleaner than having predicates named `functionModelReadsMemory()` and `getFunctionModelParameterAliasBehavior()`.
 2018-12-05 10:58:46 -08:00
Ian Lynagh 7d8a8de53d C++: Test output changes following CatchAny fix 2018-12-05 15:35:54 +00:00
Geoffrey White d85f4b540c CPP: Fix false positive. 2018-12-05 10:01:54 +00:00
Geoffrey White e7f19e97cb CPP: Add a test of UnusedStaticVariable.ql. 2018-12-05 10:01:54 +00:00
Dave Bartolomeo e11b4b6c40 C++: Fix IR Dataflow PR feedback 2018-12-04 07:31:13 -08:00
Geoffrey White a7f45bb59d
Merge pull request #608 from jbj/assignment-this-templates 
C++: Fix "Overloaded assignment does not return 'this'" for templates
 2018-12-04 14:12:56 +00:00
Aditya Sharad 3caf4e52a7 Merge rc/1.19 into next. 2018-12-04 12:39:41 +00:00
Jonas Jensen 6239455a91 C++: Remove extra type check in AV Rule 82 
These type checks were overlapping with `assignOperatorWithWrongType` is
are no longer needed now that `assignOperatorWithWrongType` is improved.
They were causing FPs and misleading error messages on uninstantiated
templates.
 2018-12-04 12:59:21 +01:00
Jonas Jensen 8ac427c387 C++: Add missing getUnspecifiedType in AV Rule 82 
Adding this call to `getUnspecifiedType` makes the error message better
in the presence of typedefs and qualifiers on an assignment operator
return type. It's also needed to avoid losing valid results in the
commit that comes after this.
 2018-12-04 11:13:11 +01:00
Jonas Jensen a78ded7551 C++: Demonstrate FP in AV Rule 82 
The added test is a reduced version of a FP observed in the wild.
 2018-12-04 11:09:35 +01:00
Nick Rolfe a637eb651f C++: fix expected test output for improved extraction of agg. inits. 2018-12-03 16:45:53 +00:00
Geoffrey White 436ee553a6
Merge pull request #589 from jbj/1.19-change-notes 
C++: add missing 1.19 change notes
 2018-12-03 15:56:18 +00:00
Jonas Jensen b80cf30cee
Merge pull request #562 from geoffw0/cpp-308 
CPP: Fix FPs for 'Resource not released in destructor' involving virtual method calls
 2018-12-03 15:57:11 +01:00
Geoffrey White d8c7537557 CPP: * -> + 2018-12-03 13:11:52 +00:00
Geoffrey White dfbccc4bcf CPP: Additional test cases. 2018-12-03 13:11:52 +00:00
Nick Rolfe fc91ff1a69 C++: we now process operands for vacuous destructor calls thru pointers 2018-12-03 12:16:35 +00:00
Dave Bartolomeo 2822d14588 C++: Add missing changes to test_ir.expected 2018-12-02 22:22:34 -08:00
Jonas Jensen d14cf34cc6 C++: data flow AlwaysTrueUponEntryLoop perf fix 
The predicate `AlwaysTrueUponEntryLoop.getARelevantVariable` was very
sensitive to join ordering, and with the 1.19 QL engine it got an
unfortunate join order that made it explode on certain snapshots. With
this change, it goes from taking minutes to taking less than a second on
a libretro-uae snapshot.
 2018-12-01 10:07:08 +01:00
Dave Bartolomeo 7eb47f3f82 C++: A few more IR dataflow tweaks 
Made `Node::getType()`, `Node::asParameter()`, and `Node::asUninitialized()` operate directly on the IR. This actually fixed several diffs compared to the AST dataflow, because `getType()` wasn't holding for nodes that weren't `Exprs`.

Made `Uninitialized` a `VariableInstruction`. This makes it consistent with `InitializeParameter`.
 2018-11-30 16:53:45 -08:00
Dave Bartolomeo 309b703e47 C++: Models for side-effect-free functions 
This commit adds a new model interface that describes the known side effects (or lack thereof) of a library function. Does it read memory, does it write memory, and do any of its parameters escape? Initially, we have models for just two Standard Library functions: `std::move` and `std::forward`, which neither read nor write memory, and do not escape their parameter.

IR construction has been updated to insert the correct side effect instruction (or no side effect instruction) based on the model.
 2018-11-30 12:15:23 -08:00
Dave Bartolomeo af443569d9 C++: Fix handling of accesses to escaped variables in Aliased SSA 
This fixes a subtle bug in the construction of aliased SSA. `getResultMemoryAccess` was failing to return a `MemoryAccess` for a store to a variable whose address escaped. This is because no `VirtualIRVariable` was being created for such variables. The code was assuming that any access to such a variable would be via `UnknownMemoryAccess`. The result is that accesses to such variables were not being modeled in SSA at all.

Instead, the way to handle this is to have a `VariableMemoryAccess` even when the variable being accessed has escaped, and to have `VariableMemoryAccess::getVirtualVariable()` return the `UnknownVirtualVariable` for escaped variables. In the future, this will also let us be less conservative about inserting `Chi` nodes, because we'll be able to determine that there's an exact overlap between two accesses to the same escaped variable in some cases.
 2018-11-30 12:15:19 -08:00
Dave Bartolomeo ae8f18c0b5 C++: Treat all `Convert` instructions as dataflow 
The AST dataflow library essentially ignores conversions, which is probably the right behavior. Converting an `int` to a `long` preserves the value, even if the bit pattern might be different. It's arguable whether narrowing conversions should be treated as dataflow, but we'll do so for now. We can revisit that if we see it cause problems.
 2018-11-30 12:15:15 -08:00
Dave Bartolomeo 58f7596519 C++: IR-based dataflow 2018-11-30 12:15:11 -08:00
Kevin Backhouse 939db5a7cd
Merge pull request #583 from jbj/bbStrictlyDominates-nomagic 
C++: pragma[nomagic] on bbStrictlyDominates
 2018-11-30 15:12:24 +00:00
Jonas Jensen 60076cb734
Merge pull request #532 from geoffw0/query-tags-3 
CPP: Query Tags 3 (JPL_C queries)
 2018-11-30 15:45:01 +01:00
Jonas Jensen 148c79a0e6 C++: Deprecate RecursionPrevention 2018-11-30 15:41:43 +01:00
Jonas Jensen 4712a8f913 C++: pragma[nomagic] on bbStrictlyPostDominates 
This predicate was recently added and is likely to get the same problems
as `bbStrictlyDominates` with magic.
 2018-11-30 11:37:18 +01:00
Jonas Jensen ace8fa88f2 C++: pragma[nomagic] on bbStrictlyDominates 
I noticed that queries using the data flow library spent significant
time in `#Dominance::bbIDominates#fbPlus`, which is the body of the
`bbStrictlyDominates` predicate. That predicate took 28 seconds to
compute on Wireshark.

The `b` in the predicate name means that magic was applied, and the
application of magic meant that it could not be evaluated with the
built-in `fastTC` HOP but became an explicit recursion instead. Applying
`pragma[nomagic]` to this predicate means that we will always get it
evaluated with `fastTC`, and that takes less than a second in my test
case.
 2018-11-30 11:36:11 +01:00
Geoffrey White 453529e3bf
Merge pull request #575 from jbj/UnsafeCreateProcessCall-nullValue 
C++: Avoid using nullValue predicate (rc/1.19)
 2018-11-30 09:54:17 +00:00
Jonas Jensen 9babb4366b Merge remote-tracking branch 'upstream/master' into mergeback-20181130 2018-11-30 10:13:33 +01:00
Jonas Jensen dd3791490a
Merge pull request #580 from geoffw0/av-79-perf 
CPP: Fix performance issue with AV Rule 79.ql.
 2018-11-30 08:39:38 +01:00
Jonas Jensen b98452ddb1
Merge pull request #474 from rdmarsh2/rdmarsh/cpp/call-side-effect 
C++: Initital aliased SSA with Chi nodes and function side effects
 2018-11-29 18:31:29 +01:00
Geoffrey White 4744cece7b
Merge pull request #576 from jbj/bbEntryReachesLocally-perf 
C++: Fix performance of bbEntryReachesLocally (1.19)
 2018-11-29 17:12:47 +00:00
Geoffrey White e09ce77678 CPP: Fix performance issue with AV Rule 79.ql. 2018-11-29 15:16:01 +00:00
Mark Shannon 11ca7b74a3
Merge pull request #572 from geoffw0/deprecate-cpython 
CPP: Delete CPython queries
 2018-11-29 14:50:06 +00:00
Jonas Jensen 90ad5cfac5
Merge pull request #569 from geoffw0/deprecate-pointsto-debug 
CPP: Deprecate the PointsTo debug queries.
 2018-11-29 15:28:07 +01:00
Jonas Jensen 62d478eab3 C++: Fix performance of bbEntryReachesLocally 
This predicate was fast with the queries and engine from 1.18. With the
queries from `master` it got a bad join order in the
`UninitializedLocal.ql` query, which made it take 2m34s on Wireshark.
This commit decomposes `bbEntryReachesLocally` into two predicates that
together take only 4s.
 2018-11-29 15:11:32 +01:00
Jonas Jensen 8654ebcbbd C++: Avoid using nullValue predicate 
The `nullValue` predicate performs a slow custom data-flow analysis to
find possible null values. It's so slow that it timed out after 1200s on
Wireshark.

In `UnsafeCreateProcessCall.ql`, the values found with `nullValue` were
used as sources in another data-flow analysis. By using the `NullValue`
class as sink instead of `nullValue`, we avoid the slow-down of doing
data flow twice. The `NullValue` class is essentially the base case of
`nullValue`. Confusing names, yes.
 2018-11-29 13:33:45 +01:00
Jonas Jensen d991fa84b1
Merge pull request #552 from geoffw0/move-security-tests-add 
CPP: Add the Semmle security tests.
 2018-11-29 10:49:20 +01:00
Geoffrey White 9d95291124 CPP: Delete the CPython queries and libraries. 2018-11-29 09:29:46 +00:00
Geoffrey White 909ff428ac CPP: Deprecate the CPython queries. 2018-11-29 09:28:29 +00:00
Dave Bartolomeo 40864f9ebb C++: Fix GVN test expectation 2018-11-28 14:07:23 -08:00
semmle-qlci d31c9950f9
Merge pull request #566 from ian-semmle/defuse_test 
Approved by dave-bartolomeo
 2018-11-28 20:48:14 +00:00
Geoffrey White d261f1b6d2 CPP: Deprecate the PointsTo tests. 2018-11-28 20:23:33 +00:00
Dave Bartolomeo d7938362dd C++: Rename Chi IPA types to match classes 2018-11-28 10:33:04 -08:00
Geoffrey White 1232694340 CPP: Add external/jpl tags. 2018-11-28 18:18:28 +00:00
Ian Lynagh 6cb6b1c07d C++: Tweak the defuse test 
It looks like this is what it was originally intended to do.
 2018-11-28 17:11:17 +00:00
Geoffrey White 0eb0bf988e CPP: Fix for virtual method calls. 2018-11-28 14:19:24 +00:00
Dave Bartolomeo 5d997c7135 C++: Big QLDoc comment for `ChiInstruction` 2018-11-27 17:09:26 -08:00
Dave Bartolomeo 53cd5e9994 C++: Fix bug introduced by earlier commit 2018-11-27 14:57:58 -08:00
Dave Bartolomeo 7e6e6f00c1 C++: Fix IR for designated array initializers 2018-11-27 14:57:23 -08:00
Dave Bartolomeo 0a20f9ffbf C++: Print field names and element indices for aggregate literals in PrintAST 2018-11-27 13:26:18 -08:00
Dave Bartolomeo 90b79eb5f3 C++: Accept GVN test expectations with Chi nodes 2018-11-27 12:56:23 -08:00
Geoffrey White 7107cec503 CPP: Add test cases. 2018-11-27 17:20:14 +00:00
Jonas Jensen c403bb1cad
Merge pull request #541 from kevinbackhouse/CppPostDominators 
Add post-dominators
 2018-11-27 08:23:43 +01:00
Dave Bartolomeo 689002a22e C++: Fix handling of Chi instructions in sign analysis 2018-11-26 16:46:39 -08:00
Robert Marsh f4ce7b9648 C++: respond to further PR review comments 2018-11-26 16:16:46 -08:00
Robert Marsh 7ef0d5e98d C++: respond to technical nits 2018-11-26 15:47:47 -08:00
Dave Bartolomeo 2b9afe95e8 C++: Accept test output after rebase 2018-11-26 12:08:19 -08:00
Robert Marsh 799eb06eea C++: add AliasedDefinition for aliased SSA 2018-11-26 12:08:19 -08:00
Robert Marsh 3ee033d96e C++: IR sanity fixes for Chi nodes 2018-11-26 12:08:19 -08:00
Robert Marsh b401cd97f2 C++: use UnmodeledDefinition in UnmodeledUse 2018-11-26 12:08:19 -08:00
Robert Marsh 927f935e62 C++: hook ChiInstructions into the operand graph 2018-11-26 12:08:19 -08:00
Robert Marsh a33b59103a C++: insert Chi nodes in the IR successor relation 
This commit adds Chi nodes to the successor relation and accounts for
them in the CFG, but does not add them to the SSA data graph. Chi nodes
are inserted for partial writes to any VirtualVariable, regardless of
whether the partial write reaches any uses.
 2018-11-26 12:08:18 -08:00
Dave Bartolomeo 1fb36ff7e7 C++: Add conservative side effects for function calls 2018-11-26 12:08:18 -08:00
Robert Marsh f9ed39915f C++: recompute IRBlock membership at each stage 
This enables the addition of new instructions in later phases of IR
construction; in particular, aliasing write instructions and inference
instructions.
 2018-11-26 12:08:18 -08:00
Geoffrey White f034abc275 CPP: Add the Semmle security tests. 2018-11-26 17:52:34 +00:00
Aditya Sharad 7aef8fa945
Merge pull request #547 from pavgust/fix/cwe-497-performance 
C++: Refactor CWE-497 for clarity and performance
 2018-11-26 17:13:27 +00:00
Kevin Backhouse 4877659578 Fix names. 2018-11-26 14:56:35 +00:00
Jonas Jensen fcd53ae631
Merge pull request #540 from geoffw0/cpp-296 
CPP: Fix false positive from AutoGeneratedFile.qll.
 2018-11-26 15:03:21 +01:00
Kevin Backhouse bc752e1a98 Add post-dominators. 2018-11-24 18:23:27 +00:00
Geoffrey White f338a4f0d6 CPP: Fix false positive from AutoGeneratedFile.qll. 2018-11-23 17:34:18 +00:00
Aditya Sharad c20b688a3f Merge master into next. 2018-11-23 16:36:31 +00:00
Pavel Avgustinov d4b2c01634 Lift out intermediate helper predicate. 2018-11-23 14:22:44 +00:00
Geoffrey White 0855543ac4 CPP: Tag the JPL_C LOC-4 queries. 2018-11-23 10:31:37 +00:00
Geoffrey White e6dddd90b7 CPP: Add a test of FunctionPointerConversions.ql. 2018-11-23 10:31:36 +00:00
Geoffrey White 0a27022dd4
Merge pull request #523 from jbj/placement-new-never-freed 
C++: Detect non-allocating placement new in cpp/memory-never-freed
 2018-11-23 09:40:11 +00:00
Jonas Jensen 4ad59235d8
Merge pull request #524 from geoffw0/cpp-299 
CPP: Add (partial) dataflow to OverflowStatic.ql
 2018-11-23 08:46:07 +01:00
semmle-qlci 816a94eaa9
Merge pull request #525 from jbj/uninit-badast-mergefix 
Approved by geoffw0, ian-semmle
 2018-11-22 21:05:54 +00:00
Geoffrey White 5d8e34a55f CPP: Add a test of NonConstFunctionPointer.ql. 2018-11-22 17:48:40 +00:00
Geoffrey White 17560cf92e CPP: Tag the JPL_C LOC-3 queries. 2018-11-22 17:48:35 +00:00
Geoffrey White 9cc39ae875 CPP: Tag the JPL_C LOC-2 queries. 2018-11-22 16:31:08 +00:00
Geoffrey White a47db56a68 CPP: Tag DuplicateBlock.ql. 2018-11-22 16:31:08 +00:00
Geoffrey White cb609f4be0 CPP: Be conservative where there are multiple flow sources. 2018-11-22 15:50:13 +00:00
Geoffrey White d57574e92c CPP: localFlowStep* -> localFlow. 2018-11-22 15:50:13 +00:00
Geoffrey White ea56a5d9ce CPP: Add local dataflow to (one bit of) OverflowStatic.ql. 2018-11-22 15:49:13 +00:00
Geoffrey White 01ba635e1d CPP: Add some test cases involving dataflow. 2018-11-22 15:49:13 +00:00
Geoffrey White dc224c5c94
Merge pull request #521 from felicity-semmle/cpp/update-qhelp 
C++: Update qhelp for consistency
 2018-11-22 15:31:34 +00:00
Pavel Avgustinov b9a3a71406
Merge pull request #518 from jbj/vcs-deprecate-queries 
C++: Deprecate queries using VCS.qll
 2018-11-22 15:07:19 +00:00
Jonas Jensen da26b4f856 C++: Accept test changes for IR 
This test was failing due to a semantic merge conflict between #509,
which added `UninitializedInstruction`, and #517, which added new test
code that would get `UninitializedInstruction`s in it after merging with #509.
 2018-11-22 13:52:33 +01:00
Jonas Jensen 75873bb4a6 C++: Detect non-allocating placement new 
This adds a `NewOrNewArrayExpr.getPlacementPointer` predicate and uses
it in `Alloc.qll` to detect when a `new`-expression is not an
allocation.

User-defined replacements for `operator new` may not be allocations
either, but the code continues to assume that they are. It's possible
that we want to change this assumption in the future or leave it up to
individual queries to decide on which side to err. It's hard to
statically tell whether `operator new` has been overloaded in a
particular file because it can be overloaded by a definition that is not
in scope but is only linked together with that file.
 2018-11-22 11:31:19 +01:00
Felicity Chapman 8cad0b6ef1 Update qhelp for consistency 2018-11-22 10:25:41 +00:00
Jonas Jensen a17debac3e C++: Placement-new tests for MemoryNeverFreed.ql 2018-11-22 10:48:18 +01:00
Jonas Jensen e062851709
Merge pull request #517 from dave-bartolomeo/dave/IRFilter 
C++: Don't generate IR for functions with bad ASTs
 2018-11-22 10:02:18 +01:00
Jonas Jensen 220487bb32 C++: Deprecate queries using VCS.qll 
One query imported VCS.qll for no reason, so I removed the import
instead of deprecating the query.
 2018-11-22 08:21:49 +01:00