Merge pull request #684 from adityasharad/merge/1.19-next-131218

Merge rc/1.19 into next.

Author: aibaars

change-notes/1.19/analysis-java.md

@@ -26,6 +26,11 @@ to run queries and explore the data flow in results.
 
 ## Changes to QL libraries
 
+* The class `ControlFlowNode` (and by extension `BasicBlock`) has until now
+  been directly equatable to `Expr` and `Stmt`.  Exploiting these equalities,
+  for example by using casts, is now deprecated, and the conversions
+  `Expr.getControlFlowNode()` and `Stmt.getControlFlowNode()` should be used
+  instead.
 * The default set of taint sources in the `FlowSources` library is extended to
   cover parameters annotated with Spring framework annotations indicating
   remote user input from servlets. This affects all security queries, which

config/identical-files.json

@@ -1,55 +1,98 @@
 {
-    "C++ IR Instruction": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
-    ],
-    "C++ IR IRBlock": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
-    ],
-    "C++ IR IRVariable": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
-    ],
-    "C++ IR FunctionIR": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/FunctionIR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/FunctionIR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/FunctionIR.qll"
-    ],
-    "C++ IR Operand": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
-    ],
-    "C++ IR IRImpl": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
-    ],
-    "C++ IR IRSanityImpl": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll"
-    ],
-    "C++ IR PrintIRImpl": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
-    ],
-    "C++ SSA AliasAnalysis": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
-    ],
-    "C++ SSA SSAConstruction": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
-    ],
-    "C++ IR ValueNumber": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
-    ]
+  "DataFlow Java/C++": [
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll"
+  ],
+  "DataFlow Java/C++ Common": [
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll"
+  ],
+  "C++ IR Instruction": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
+  ],
+  "C++ IR IRBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
+  ],
+  "C++ IR IRVariable": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
+  ],
+  "C++ IR FunctionIR": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/FunctionIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/FunctionIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/FunctionIR.qll"
+  ],
+  "C++ IR Operand": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
+  ],
+  "C++ IR IRImpl": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
+  ],
+  "C++ IR IRSanityImpl": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll"
+  ],
+  "C++ IR PrintIRImpl": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
+  ],
+  "C++ SSA AliasAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
+  ],
+  "C++ SSA SSAConstruction": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+  ],
+  "C++ IR ValueNumber": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+  ],
+  "C++ IR ConstantAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+  ],
+  "C++ IR PrintConstantAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+  ],
+  "C++ IR ReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+  ],
+  "C++ IR PrintReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+  ],
+  "C++ IR Dominance": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+  ]
 }

cpp/ql/src/filters/ImportAdditionalLibraries.ql

@@ -9,11 +9,21 @@
 
 import cpp
 
-import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.dataflow.DataFlow2
-import semmle.code.cpp.dataflow.DataFlow3
-import semmle.code.cpp.dataflow.DataFlow4
-import semmle.code.cpp.dataflow.TaintTracking
+module ASTDataFlow {
+  import semmle.code.cpp.dataflow.DataFlow
+  import semmle.code.cpp.dataflow.DataFlow2
+  import semmle.code.cpp.dataflow.DataFlow3
+  import semmle.code.cpp.dataflow.DataFlow4
+  import semmle.code.cpp.dataflow.TaintTracking
+}
+
+module IRDataFlow {
+  import semmle.code.cpp.ir.dataflow.DataFlow
+  import semmle.code.cpp.ir.dataflow.DataFlow2
+  import semmle.code.cpp.ir.dataflow.DataFlow3
+  import semmle.code.cpp.ir.dataflow.DataFlow4
+}
+
 import semmle.code.cpp.valuenumbering.HashCons
 
 from File f, string tag

cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides a library for local (intra-procedural) and global (inter-procedural)
+ * data flow analysis: deciding whether data can flow from a _source_ to a
+ * _sink_. This library differs from the one in `semmle.code.cpp.dataflow` in that
+ * this library uses the IR (Intermediate Representation) library, which provides
+ * a more precise semantic representation of the program, whereas the other dataflow
+ * library uses the more syntax-oriented ASTs. This library should provide more accurate
+ * results than the AST-based library in most scenarios.
+ *
+ * Unless configured otherwise, _flow_ means that the exact value of
+ * the source may reach the sink. We do not track flow across pointer
+ * dereferences or array indexing.
+ *
+ * To use global (interprocedural) data flow, extend the class
+ * `DataFlow::Configuration` as documented on that class. To use local
+ * (intraprocedural) data flow, invoke `DataFlow::localFlow` or
+ * `DataFlow::LocalFlowStep` with arguments of type `DataFlow::Node`.
+ */
+import cpp
+
+module DataFlow {
+  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl
+}

cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow2.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
+ */
+import cpp
+
+module DataFlow2 {
+  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl2
+
+  /**
+   * This class exists to prevent mutual recursion between the user-overridden
+   * member predicates of `Configuration` and the rest of the data-flow library.
+   * Good performance cannot be guaranteed in the presence of such recursion, so
+   * it should be replaced by using more than one copy of the data flow library.
+   * Four copies are available: `DataFlow` through `DataFlow4`.
+   */
+  private abstract
+  class ConfigurationRecursionPrevention extends Configuration {
+    bindingset[this]
+    ConfigurationRecursionPrevention() { any() }
+
+    override predicate hasFlow(Node source, Node sink) {
+      strictcount(Node n | this.isSource(n)) < 0
+      or
+      strictcount(Node n | this.isSink(n)) < 0
+      or
+      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
+      or
+      super.hasFlow(source, sink)
+    }
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow3.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
+ */
+import cpp
+
+module DataFlow3 {
+  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl3
+
+  /**
+   * This class exists to prevent mutual recursion between the user-overridden
+   * member predicates of `Configuration` and the rest of the data-flow library.
+   * Good performance cannot be guaranteed in the presence of such recursion, so
+   * it should be replaced by using more than one copy of the data flow library.
+   * Four copies are available: `DataFlow` through `DataFlow4`.
+   */
+  private abstract
+  class ConfigurationRecursionPrevention extends Configuration {
+    bindingset[this]
+    ConfigurationRecursionPrevention() { any() }
+
+    override predicate hasFlow(Node source, Node sink) {
+      strictcount(Node n | this.isSource(n)) < 0
+      or
+      strictcount(Node n | this.isSink(n)) < 0
+      or
+      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
+      or
+      super.hasFlow(source, sink)
+    }
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow4.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
+ * this class when data-flow configurations must depend on each other. Two
+ * classes extending `DataFlow::Configuration` should never depend on each
+ * other, but one of them should instead depend on a
+ * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
+ * `DataFlow4::Configuration`.
+ *
+ * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
+ */
+import cpp
+
+module DataFlow4 {
+  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl4
+
+  /**
+   * This class exists to prevent mutual recursion between the user-overridden
+   * member predicates of `Configuration` and the rest of the data-flow library.
+   * Good performance cannot be guaranteed in the presence of such recursion, so
+   * it should be replaced by using more than one copy of the data flow library.
+   * Four copies are available: `DataFlow` through `DataFlow4`.
+   */
+  private abstract
+  class ConfigurationRecursionPrevention extends Configuration {
+    bindingset[this]
+    ConfigurationRecursionPrevention() { any() }
+
+    override predicate hasFlow(Node source, Node sink) {
+      strictcount(Node n | this.isSource(n)) < 0
+      or
+      strictcount(Node n | this.isSink(n)) < 0
+      or
+      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
+      or
+      super.hasFlow(source, sink)
+    }
+  }
+}