From cd5509a0f98db63d9b3ad10be3960b35ec1a6f6a Mon Sep 17 00:00:00 2001 From: Rasmus Lerchedahl Petersen Date: Fri, 15 Nov 2024 11:28:38 +0100 Subject: [PATCH 1/3] Java: locations for range analysis --- .../code/java/dataflow/RangeAnalysis.qll | 10 ++++---- .../semmle/code/java/dataflow/RangeUtils.qll | 2 +- .../codeql/rangeanalysis/ModulusAnalysis.qll | 4 ++-- .../codeql/rangeanalysis/RangeAnalysis.qll | 23 +++++++++++-------- .../rangeanalysis/internal/RangeUtils.qll | 3 ++- 5 files changed, 23 insertions(+), 19 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll index e0055d53f08d..774b165e9496 100644 --- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll +++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll @@ -75,7 +75,7 @@ private import semmle.code.java.Maps import Bound private import codeql.rangeanalysis.RangeAnalysis -module Sem implements Semantic { +module Sem implements Semantic { private import java as J private import SSA as SSA private import RangeUtils as RU @@ -264,7 +264,7 @@ module Sem implements Semantic { predicate conversionCannotOverflow = safeCast/2; } -module SignInp implements SignAnalysisSig { +module SignInp implements SignAnalysisSig { private import SignAnalysis private import internal.rangeanalysis.Sign @@ -281,7 +281,7 @@ module SignInp implements SignAnalysisSig { predicate semMayBeNegative(Sem::Expr e) { exprSign(e) = TNeg() } } -module Modulus implements ModulusAnalysisSig { +module Modulus implements ModulusAnalysisSig { class ModBound = Bound; private import codeql.rangeanalysis.ModulusAnalysis as Mod @@ -307,7 +307,7 @@ module IntDelta implements DeltaSig { Delta fromFloat(float f) { result = f } } -module JavaLangImpl implements LangSig { +module JavaLangImpl implements LangSig { /** * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`). */ @@ -379,7 +379,7 @@ module Bounds implements BoundSig { } } -module Overflow implements OverflowSig { +module Overflow implements OverflowSig { predicate semExprDoesNotOverflow(boolean positively, Sem::Expr expr) { positively = [true, false] and exists(expr) } diff --git a/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll b/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll index be7f73fe7668..e96d591ced54 100644 --- a/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll +++ b/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll @@ -9,7 +9,7 @@ private import semmle.code.java.Constants private import semmle.code.java.dataflow.RangeAnalysis private import codeql.rangeanalysis.internal.RangeUtils -private module U = MakeUtils; +private module U = MakeUtils; private predicate backEdge = U::backEdge/3; diff --git a/shared/rangeanalysis/codeql/rangeanalysis/ModulusAnalysis.qll b/shared/rangeanalysis/codeql/rangeanalysis/ModulusAnalysis.qll index f8b4a94079a7..88d816b8644c 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/ModulusAnalysis.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/ModulusAnalysis.qll @@ -14,9 +14,9 @@ private import codeql.util.Location private import RangeAnalysis module ModulusAnalysis< - LocationSig Location, Semantic Sem, DeltaSig D, BoundSig Bounds> + LocationSig Location, Semantic Sem, DeltaSig D, BoundSig Bounds> { - private import internal.RangeUtils::MakeUtils + private import internal.RangeUtils::MakeUtils bindingset[pos, v] pragma[inline_late] diff --git a/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll b/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll index e178c44cafba..d0fc084e6c50 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll @@ -65,11 +65,13 @@ private import codeql.util.Location -signature module Semantic { +signature module Semantic { class Expr { string toString(); BasicBlock getBasicBlock(); + + Location getLocation(); } class ConstantIntegerExpr extends Expr { @@ -294,7 +296,7 @@ signature module Semantic { predicate conversionCannotOverflow(Type fromType, Type toType); } -signature module SignAnalysisSig { +signature module SignAnalysisSig Sem> { /** Holds if `e` can be positive and cannot be negative. */ predicate semPositive(Sem::Expr e); @@ -320,7 +322,7 @@ signature module SignAnalysisSig { predicate semMayBeNegative(Sem::Expr e); } -signature module ModulusAnalysisSig { +signature module ModulusAnalysisSig Sem> { class ModBound; predicate exprModulus(Sem::Expr e, ModBound b, int val, int mod); @@ -346,7 +348,7 @@ signature module DeltaSig { Delta fromFloat(float f); } -signature module LangSig { +signature module LangSig Sem, DeltaSig D> { /** * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`). */ @@ -372,7 +374,7 @@ signature module LangSig { default predicate includeRelativeBounds() { any() } } -signature module BoundSig { +signature module BoundSig Sem, DeltaSig D> { /** * A bound that the range analysis can infer for a variable. This includes * constant bounds represented by the abstract value zero, SSA bounds for when @@ -409,14 +411,15 @@ signature module BoundSig { } } -signature module OverflowSig { +signature module OverflowSig Sem, DeltaSig D> { predicate semExprDoesNotOverflow(boolean positively, Sem::Expr expr); } module RangeStage< - LocationSig Location, Semantic Sem, DeltaSig D, BoundSig Bounds, - OverflowSig OverflowParam, LangSig LangParam, SignAnalysisSig SignAnalysis, - ModulusAnalysisSig ModulusAnalysisParam> + LocationSig Location, Semantic Sem, DeltaSig D, BoundSig Bounds, + OverflowSig OverflowParam, LangSig LangParam, + SignAnalysisSig SignAnalysis, + ModulusAnalysisSig ModulusAnalysisParam> { private import Bounds private import LangParam @@ -424,7 +427,7 @@ module RangeStage< private import OverflowParam private import SignAnalysis private import ModulusAnalysisParam - private import internal.RangeUtils::MakeUtils + private import internal.RangeUtils::MakeUtils /** * An expression that does conversion, boxing, or unboxing diff --git a/shared/rangeanalysis/codeql/rangeanalysis/internal/RangeUtils.qll b/shared/rangeanalysis/codeql/rangeanalysis/internal/RangeUtils.qll index dc1014a886ed..ee6e3a4c958a 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/internal/RangeUtils.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/internal/RangeUtils.qll @@ -1,6 +1,7 @@ private import codeql.rangeanalysis.RangeAnalysis +private import codeql.util.Location -module MakeUtils { +module MakeUtils Lang, DeltaSig D> { private import Lang /** From 065f3d1d7a3b9fa8ed5a7d47ea5788a18c3efcbd Mon Sep 17 00:00:00 2001 From: Rasmus Lerchedahl Petersen Date: Fri, 15 Nov 2024 14:10:51 +0100 Subject: [PATCH 2/3] cpp: locations in range analysis --- .../rangeanalysis/new/internal/semantic/SemanticExpr.qll | 3 ++- .../new/internal/semantic/analysis/FloatDelta.qll | 3 ++- .../semantic/analysis/RangeAnalysisConstantSpecific.qll | 3 ++- .../new/internal/semantic/analysis/RangeAnalysisImpl.qll | 6 +++--- .../semantic/analysis/RangeAnalysisRelativeSpecific.qll | 3 ++- .../new/internal/semantic/analysis/SignAnalysisCommon.qll | 3 ++- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll index a2905e185f1d..668d9b52659e 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll @@ -3,6 +3,7 @@ */ private import Semantic +private import SemanticLocation private import SemanticExprSpecific::SemanticExprConfig as Specific private import SemanticType @@ -15,7 +16,7 @@ private import SemanticType class SemExpr instanceof Specific::Expr { final string toString() { result = super.toString() } - final Specific::Location getLocation() { result = super.getLocation() } + SemLocation getLocation() { result = super.getLocation() } Opcode getOpcode() { result instanceof Opcode::Unknown } diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll index 2cdeb9544ab7..4eb3d7a89d16 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll @@ -2,6 +2,7 @@ private import RangeAnalysisImpl private import codeql.rangeanalysis.RangeAnalysis private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType +private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation module FloatDelta implements DeltaSig { class Delta = float; @@ -22,7 +23,7 @@ module FloatDelta implements DeltaSig { Delta fromFloat(float f) { result = f } } -module FloatOverflow implements OverflowSig { +module FloatOverflow implements OverflowSig { predicate semExprDoesNotOverflow(boolean positively, SemExpr expr) { exists(float lb, float ub, float delta | typeBounds(expr.getSemType(), lb, ub) and diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll index e9a7dc836e43..6c259faaddcf 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll @@ -3,11 +3,12 @@ */ private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic +private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta private import RangeAnalysisImpl private import codeql.rangeanalysis.RangeAnalysis -module CppLangImplConstant implements LangSig { +module CppLangImplConstant implements LangSig { /** * Ignore the bound on this expression. * diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll index a19baf2eea78..22acb6fc1ca8 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll @@ -12,7 +12,7 @@ private import SemanticType private import codeql.rangeanalysis.RangeAnalysis private import ConstantAnalysis as ConstantAnalysis -module Sem implements Semantic { +module Sem implements Semantic { class Expr = SemExpr; class ConstantIntegerExpr = ConstantAnalysis::SemConstantIntegerExpr; @@ -104,7 +104,7 @@ module Sem implements Semantic { } } -module SignAnalysis implements SignAnalysisSig { +module SignAnalysis implements SignAnalysisSig { private import SignAnalysisCommon as SA import SA::SignAnalysis } @@ -165,7 +165,7 @@ module AllBounds implements BoundSig { } } -private module ModulusAnalysisInstantiated implements ModulusAnalysisSig { +private module ModulusAnalysisInstantiated implements ModulusAnalysisSig { class ModBound = AllBounds::SemBound; private import codeql.rangeanalysis.ModulusAnalysis as MA diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll index 3774d47db8b2..cf23fd09f6f6 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll @@ -3,12 +3,13 @@ */ private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic +private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta private import RangeAnalysisImpl private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils private import codeql.rangeanalysis.RangeAnalysis -module CppLangImplRelative implements LangSig { +module CppLangImplRelative implements LangSig { /** * Ignore the bound on this expression. * diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll index 9cd57e5ed622..e07ea7892523 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll @@ -10,11 +10,12 @@ private import codeql.rangeanalysis.RangeAnalysis private import RangeAnalysisImpl private import SignAnalysisSpecific as Specific private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic +private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation private import ConstantAnalysis private import Sign module SignAnalysis { - private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils + private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils /** * An SSA definition for which the analysis can compute the sign. From 1812be7fa86ae8ed4bbb53388ce4d21b17784c7c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 9 Jan 2025 11:43:36 +0000 Subject: [PATCH 3/3] Fix stub --- .../local/database/vendor/github.com/jmoiron/sqlx/rows.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/jmoiron/sqlx/rows.go b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/jmoiron/sqlx/rows.go index 484dc7709e93..e70af447c4f0 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/jmoiron/sqlx/rows.go +++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/jmoiron/sqlx/rows.go @@ -20,7 +20,3 @@ func (r *Rows) StructScan(dest interface{}) error { func (r *Rows) SliceScan(dest []interface{}) error { return nil } - -func (r *Rows) Scan(dest ...interface{}) error { - return nil -}