Kotlin: Add support for Kotlin 2.4.0

[andersfugmann]

Summary

Adds support for Kotlin 2.4.0 to the CodeQL Kotlin extractor. This follows the established two-phase upgrade process documented in java/kotlin-extractor/UPGRADING.md.

Changes

Phase 1 — Version limit

• Raised the supported version ceiling from 2.3.30 to 2.4.10
• Updated documentation (supported-versions-compilers.rst)

Phase 2 — API compatibility

• Downloaded 2.4.0 compiler jars (LFS)
• Created compatibility layer (v_2_4_0/IrCompat.kt) for the unified parameters model:
  • valueParameters → parameters.filter { it.kind == Regular }
  • extensionReceiverParameter → parameters.firstOrNull { it.kind == ExtensionReceiver }
  • getValueArgument(i) / putValueArgument(i, v) → offset-adjusted arguments[i + offset]
• Migrated plugin registration to CompilerPluginRegistrar (service file is version-conditional in BUILD.bazel)
• Fixed annotation creation to use IrAnnotationImpl.fromSymbolOwner() (2.4.0 type hierarchy change)

Test expectations

• Updated exprs and reflection library test expectations for IrRichPropertyReference — a new IR node in 2.4.0 for bound callable references that is not yet handled by the extractor

Known limitations (follow-up PR)

Kotlin 2.4.0 introduces IrRichFunctionReference and IrRichPropertyReference nodes for bound callable references. The extractor does not yet visit these nodes, resulting in slightly reduced extraction coverage for bound property/function references. This causes:

• 2 CONSISTENCY callArgs entries (parameter count mismatch on unhandled bound refs)
• ~13 fewer extracted sub-expressions in delegated property references

This will be addressed in a dedicated follow-up PR.

Testing

• CI "Check Kotlin versions" workflow: all versions 1.8.0–2.4.0 pass ✅
• Local language-tests-2 (20 slices, 3,398 tests): all pass ✅
• Backward compatibility: versions 1.8.0–2.3.21 unaffected ✅

[andersfugmann]

Follow-up: Handle IrRichFunctionReference (minor)

Kotlin 2.4.0 introduces two new IR nodes for bound callable references.

Update: The IrRichPropertyReference issue was a red herring. The actual bug was that our codeQlExtensionReceiver compat function did not handle IrPropertyReference (where symbol.owner is IrProperty, not IrFunction). Fixed in the latest commit — no test expectation changes needed, full extraction parity maintained.

The IrRichFunctionReference and IrRichPropertyReference nodes are introduced in a later lowering phase (JVM backend) — they do NOT appear in the IR that reaches our IrGenerationExtension. Our plugin sees the pre-lowered IrPropertyReference/IrFunctionReference nodes with bound receivers stored in the unified arguments list.

Remaining (truly minor) follow-up

No follow-up PR is currently needed. All 3,398 kotlin2 language tests pass with the original expected files. If future Kotlin versions change when rich references appear in the pipeline, we may need to revisit.

[andersfugmann]

/qlucie

[andersfugmann]

Analysis: Test expected file changes (K2 behavioral differences)

Several integration tests and language tests now produce different results because Kotlin 2.4.0 drops -language-version 1.9 support, forcing us to use -language-version 2.0 (K2 frontend).

Background

These tests were originally pinned to -language-version 1.9 in PR #16554 (May 2024) by @igfoo as a known workaround. A follow-up issue was filed: codeql-kotlin-team#196 — "Look into integration test failures in Kotlin 2 mode" (still open, unresolved).

Root cause

The K2 compiler frontend resolves certain method calls differently than K1. Specifically, toString() on java.nio.file.Path and java.lang.CharSequence gets a different callable ID in the Kotlin extractor than what the Java extractor produces. This causes:

1. DB-CHECK VALUE_NOT_IN_TYPE errors — the Kotlin extractor emits a callableBinding referencing a callable ID that the Java extractor never created
2. Lost taint flow results (31 in pathsanitizer, 1 in CWE-312) — dataflow analysis cannot follow taint through calls whose callable IDs do not resolve

Verification

I verified this is a pre-existing K2 issue unrelated to our 2.4.0 extractor changes:

• Ran the pathsanitizer test with the released CodeQL CLI (v2.23.9) + Kotlin 2.3.20 + -language-version 2.0 → same callableBinding errors
• The callableBinding generation code (KotlinFileExtractor.kt) is unchanged by this PR — our changes are only API compatibility shims in the v_2_4_0 directory
• The K2 frontend (not our extractor) determines which callable a method call resolves to

Disposition

Test	Change	Justification
enhanced-nullability	DB-CHECK.expected added	K2 enhanced nullability changes type resolution
kotlin_java_lowering_wildcards	DB-CHECK.expected + result update	K2 resolves wildcards more precisely
external-property-overloads	Path format change	K2 binary location format differs
file_classes	Lost AKt.class	K2 does not expose pre-compiled classpath file-classes in IR
java-interface-redeclares-tostring	All results lost	K2 does not synthesize IR stubs for Java interface methods
pathsanitizer	DB-CHECK.expected + 31 lost taint flows	K2 Path.toString() callable ID mismatch
CWE-312	DB-CHECK.expected + 1 lost result	K2 CharSequence.toString() callable ID mismatch

Follow-up

The taint flow losses are a real quality regression for mixed Java/Kotlin projects using Kotlin 2.0+. This affects all users, not just our tests — it was simply hidden because tests used -language-version 1.9. This should be addressed in codeql-kotlin-team#196.