Merge remote-tracking branch 'githubsemmle/master' into HEAD

Author: erik-krogh

change-notes/1.24/analysis-cpp.md

@@ -0,0 +1,20 @@
+# Improvements to C/C++ analysis
+
+The following changes in version 1.24 affect C/C++ analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings.  This approach produces fewer, more accurate results. |
+
+## Changes to libraries
+
+* 

change-notes/1.24/analysis-javascript.md

@@ -6,6 +6,9 @@
   - [react](https://www.npmjs.com/package/react)
   - [Handlebars](https://www.npmjs.com/package/handlebars)
 
+- Imports with the `.js` extension can now be resolved to a TypeScript file,
+  when the import refers to a file generated by TypeScript.
+
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |

config/identical-files.json

@@ -143,6 +143,11 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
   ],
+  "IR SSASanity": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSASanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSASanity.qll"
+  ],
   "C++ IR InstructionImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",

cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

@@ -16,28 +16,28 @@
 
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.models.implementations.Memcpy
+import semmle.code.cpp.models.interfaces.ArrayFunction
 
 class MallocCall extends FunctionCall {
   MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
 
-  Expr getAllocatedSize() {
-    if this.getArgument(0) instanceof VariableAccess
-    then
-      exists(LocalScopeVariable v, ControlFlowNode def |
-        definitionUsePair(v, def, this.getArgument(0)) and
-        exprDefinition(v, def, result)
-      )
-    else result = this.getArgument(0)
-  }
+  Expr getAllocatedSize() { result = this.getArgument(0) }
 }
 
 predicate terminationProblem(MallocCall malloc, string msg) {
-  malloc.getAllocatedSize() instanceof StrlenCall and
-  not exists(FunctionCall fc, MemcpyFunction memcpy, int ix |
-    DataFlow::localExprFlow(malloc, fc.getArgument(ix)) and
-    fc.getTarget() = memcpy and
-    memcpy.hasArrayOutput(ix)
+  // malloc(strlen(...))
+  exists(StrlenCall strlen | DataFlow::localExprFlow(strlen, malloc.getAllocatedSize())) and
+  // flows into a null-terminated string function
+  exists(ArrayFunction af, FunctionCall fc, int arg |
+    DataFlow::localExprFlow(malloc, fc.getArgument(arg)) and
+    fc.getTarget() = af and
+    (
+      // null terminated string
+      af.hasArrayWithNullTerminator(arg)
+      or
+      // likely a null terminated string (such as `strcpy`, `strcat`)
+      af.hasArrayWithUnknownSize(arg)
+    )
   ) and
   msg = "This allocation does not include space to null-terminate the string."
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -13,14 +13,20 @@ IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var
 }
 
 /**
- * Represents a variable referenced by the IR for a function. The variable may
- * be a user-declared variable (`IRUserVariable`) or a temporary variable
- * generated by the AST-to-IR translation (`IRTempVariable`).
+ * A variable referenced by the IR for a function. The variable may be a user-declared variable
+ * (`IRUserVariable`) or a temporary variable generated by the AST-to-IR translation
+ * (`IRTempVariable`).
  */
-abstract class IRVariable extends TIRVariable {
+class IRVariable extends TIRVariable {
   Language::Function func;
 
-  abstract string toString();
+  IRVariable() {
+    this = TIRUserVariable(_, _, func) or
+    this = TIRTempVariable(func, _, _, _) or
+    this = TIRStringLiteral(func, _, _, _)
+  }
+
+  string toString() { none() }
 
   /**
    * Holds if this variable's value cannot be changed within a function. Currently used for string
@@ -41,19 +47,19 @@ abstract class IRVariable extends TIRVariable {
   /**
    * Gets the type of the variable.
    */
-  abstract Language::LanguageType getLanguageType();
+  Language::LanguageType getLanguageType() { none() }
 
   /**
    * Gets the AST node that declared this variable, or that introduced this
    * variable as part of the AST-to-IR translation.
    */
-  abstract Language::AST getAST();
+  Language::AST getAST() { none() }
 
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
    */
-  abstract string getUniqueId();
+  string getUniqueId() { none() }
 
   /**
    * Gets the source location of this variable.
@@ -72,7 +78,7 @@ abstract class IRVariable extends TIRVariable {
 }
 
 /**
- * Represents a user-declared variable referenced by the IR for a function.
+ * A user-declared variable referenced by the IR for a function.
  */
 class IRUserVariable extends IRVariable, TIRUserVariable {
   Language::Variable var;
@@ -97,20 +103,34 @@ class IRUserVariable extends IRVariable, TIRUserVariable {
 }
 
 /**
- * Represents a variable (user-declared or temporary) that is allocated on the
- * stack. This includes all parameters, non-static local variables, and
- * temporary variables.
+ * A variable (user-declared or temporary) that is allocated on the stack. This includes all
+ * parameters, non-static local variables, and temporary variables.
  */
-abstract class IRAutomaticVariable extends IRVariable { }
+class IRAutomaticVariable extends IRVariable {
+  IRAutomaticVariable() {
+    exists(Language::Variable var |
+      this = TIRUserVariable(var, _, func) and
+      Language::isVariableAutomatic(var)
+    )
+    or
+    this = TIRTempVariable(func, _, _, _)
+  }
+}
 
+/**
+ * A user-declared variable that is allocated on the stack. This includes all parameters and
+ * non-static local variables.
+ */
 class IRAutomaticUserVariable extends IRUserVariable, IRAutomaticVariable {
   override Language::AutomaticVariable var;
 
-  IRAutomaticUserVariable() { Language::isVariableAutomatic(var) }
-
   final override Language::AutomaticVariable getVariable() { result = var }
 }
 
+/**
+ * A user-declared variable that is not allocated on the stack. This includes all global variables,
+ * namespace-scope variables, static fields, and static local variables.
+ */
 class IRStaticUserVariable extends IRUserVariable {
   override Language::StaticVariable var;
 
@@ -119,10 +139,19 @@ class IRStaticUserVariable extends IRUserVariable {
   final override Language::StaticVariable getVariable() { result = var }
 }
 
-abstract class IRGeneratedVariable extends IRVariable {
+/**
+ * A variable that is not user-declared. This includes temporary variables generated as part of IR
+ * construction, as well as string literals.
+ */
+class IRGeneratedVariable extends IRVariable {
   Language::AST ast;
   Language::LanguageType type;
 
+  IRGeneratedVariable() {
+    this = TIRTempVariable(func, ast, _, type) or
+    this = TIRStringLiteral(func, ast, type, _)
+  }
+
   final override Language::LanguageType getLanguageType() { result = type }
 
   final override Language::AST getAST() { result = ast }
@@ -144,6 +173,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) {
   result.getTag() = tag
 }
 
+/**
+ * A temporary variable introduced by IR construction. The most common examples are the variable
+ * generated to hold the return value of afunction, or the variable generated to hold the result of
+ * a condition operator (`a ? b : c`).
+ */
 class IRTempVariable extends IRGeneratedVariable, IRAutomaticVariable, TIRTempVariable {
   TempVariableTag tag;
 
@@ -158,18 +192,28 @@ class IRTempVariable extends IRGeneratedVariable, IRAutomaticVariable, TIRTempVa
   override string getBaseString() { result = "#temp" }
 }
 
+/**
+ * A temporary variable generated to hold the return value of a function.
+ */
 class IRReturnVariable extends IRTempVariable {
   IRReturnVariable() { tag = ReturnValueTempVar() }
 
   final override string toString() { result = "#return" }
 }
 
+/**
+ * A temporary variable generated to hold the exception thrown by a `ThrowValue` instruction.
+ */
 class IRThrowVariable extends IRTempVariable {
   IRThrowVariable() { tag = ThrowTempVar() }
 
   override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A variable generated to represent the contents of a string literal. This variable acts much like
+ * a read-only global variable.
+ */
 class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
   Language::StringLiteral literal;
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -94,12 +94,21 @@ module InstructionSanity {
   /**
    * Holds if instruction `instr` has multiple operands with tag `tag`.
    */
-  query predicate duplicateOperand(Instruction instr, OperandTag tag) {
-    strictcount(NonPhiOperand operand |
-      operand = instr.getAnOperand() and
-      operand.getOperandTag() = tag
-    ) > 1 and
-    not tag instanceof UnmodeledUseOperandTag
+  query predicate duplicateOperand(
+    Instruction instr, string message, IRFunction func, string funcText
+  ) {
+    exists(OperandTag tag, int operandCount |
+      operandCount = strictcount(NonPhiOperand operand |
+          operand = instr.getAnOperand() and
+          operand.getOperandTag() = tag
+        ) and
+      operandCount > 1 and
+      not tag instanceof UnmodeledUseOperandTag and
+      message = "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
+          " in function '$@'." and
+      func = instr.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
   }
 
   /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -6,26 +6,6 @@ private import semmle.code.cpp.models.interfaces.Alias
 
 private class IntValue = Ints::IntValue;
 
-/**
- * Converts the bit count in `bits` to a byte count and a bit count in the form
- * bytes:bits.
- */
-bindingset[bits]
-string bitsToBytesAndBits(int bits) { result = (bits / 8).toString() + ":" + (bits % 8).toString() }
-
-/**
- * Gets a printable string for a bit offset with possibly unknown value.
- */
-bindingset[bitOffset]
-string getBitOffsetString(IntValue bitOffset) {
-  if Ints::hasValue(bitOffset)
-  then
-    if bitOffset >= 0
-    then result = "+" + bitsToBytesAndBits(bitOffset)
-    else result = "-" + bitsToBytesAndBits(Ints::neg(bitOffset))
-  else result = "+?"
-}
-
 /**
  * Gets the offset of field `field` in bits.
  */
@@ -137,7 +117,11 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
       or
       // Adding an integer to or subtracting an integer from a pointer propagates
       // the address with an offset.
-      bitOffset = getPointerBitOffset(instr.(PointerOffsetInstruction))
+      exists(PointerOffsetInstruction ptrOffset |
+        ptrOffset = instr and
+        operand = ptrOffset.getLeftOperand() and
+        bitOffset = getPointerBitOffset(ptrOffset)
+      )
       or
       // Computing a field address from a pointer propagates the address plus the
       // offset of the field.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -865,3 +865,17 @@ private module CachedForDebugging {
     result.getTag() = var.getTag()
   }
 }
+
+module SSASanity {
+  query predicate multipleOperandMemoryLocations(
+    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int locationCount |
+      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
+      locationCount > 1 and
+      func = operand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction()) and
+      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+    )
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.ql

@@ -0,0 +1,8 @@
+/**
+ * @name Aliased SSA Sanity Check
+ * @description Performs sanity checks on the SSA construction. This query should have no results.
+ * @kind table
+ * @id cpp/aliased-ssa-sanity-check
+ */
+
+import SSASanity

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.qll

@@ -0,0 +1,2 @@
+private import SSAConstruction as SSA
+import SSA::SSASanity