Merge branch 'master' into ir-this-parameter-2

Bring in fix for duplicate virtual variables for parameter indirections

Author: Robert Marsh

change-notes/1.25/analysis-cpp.md

@@ -41,4 +41,4 @@ The following changes in version 1.25 affect C/C++ analysis in all applications.
   };
   ```
 * The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
-
+* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.

cpp/ql/src/semmle/code/cpp/commons/unix/Constants.qll

@@ -4,6 +4,11 @@
 
 import cpp
 
+/**
+ * Gets the number corresponding to the contents of `input` in base-8.
+ * Note: the first character of `input` must be `0`. For example:
+ * `parseOctal("012345") = 5349`.
+ */
 bindingset[input]
 int parseOctal(string input) {
   input.charAt(0) = "0" and
@@ -15,44 +20,77 @@ int parseOctal(string input) {
     )
 }
 
+/** Gets the number corresponding to the "set-user-ID on execute bit" in Unix. */
 int s_isuid() { result = parseOctal("04000") }
 
+/** Gets the number corresponding to the "set-group-ID on execute bit" in Unix. */
 int s_isgid() { result = parseOctal("02000") }
 
+/** Gets the number corresponding to the sticky bit in Unix. */
 int s_isvtx() { result = parseOctal("01000") }
 
+/** Gets the number corresponding to the read permission bit for owner of the file in Unix. */
 int s_irusr() { result = parseOctal("0400") }
 
+/** Gets the number corresponding to the write permission bit for owner of the file in Unix. */
 int s_iwusr() { result = parseOctal("0200") }
 
+/** Gets the number corresponding to the execute permission bit for owner of the file in Unix. */
 int s_ixusr() { result = parseOctal("0100") }
 
+/** Gets the number corresponding to the permissions `S_IRUSR | S_IWUSR | S_IXUSR` in Unix. */
 int s_irwxu() { result = s_irusr().bitOr(s_iwusr()).bitOr(s_ixusr()) }
 
+/**
+ * Gets the number corresponding to the read permission bit for the group
+ * owner of the file in Unix.
+ */
 int s_irgrp() { result = s_irusr().bitShiftRight(3) }
 
+/**
+ * Gets the number corresponding to the write permission bit for the group
+ * owner of the file in Unix.
+ */
 int s_iwgrp() { result = s_iwusr().bitShiftRight(3) }
 
+/**
+ * Gets the number corresponding to the execute permission bit for the group
+ * owner of the file in Unix.
+ */
 int s_ixgrp() { result = s_ixusr().bitShiftRight(3) }
 
+/** Gets the number corresponding to the permissions `S_IRGRP | S_IWGRP | S_IXGRP` in Unix. */
 int s_irwxg() { result = s_irwxu().bitShiftRight(3) }
 
+/** Gets the number corresponding to the read permission bit for other users in Unix. */
 int s_iroth() { result = s_irgrp().bitShiftRight(3) }
 
+/** Gets the number corresponding to the write permission bit for other users in Unix. */
 int s_iwoth() { result = s_iwgrp().bitShiftRight(3) }
 
+/** Gets the number corresponding to the execute-or-search permission bit for other users in Unix. */
 int s_ixoth() { result = s_ixgrp().bitShiftRight(3) }
 
+/** Gets the number corresponding to the permissions `S_IROTH | S_IWOTH | S_IXOTH` in Unix. */
 int s_irwxo() { result = s_irwxg().bitShiftRight(3) }
 
+/**
+ * Gets the number that can be used in a bitwise and with the file status flag
+ * to produce a number representing the file access mode.
+ */
 int o_accmode() { result = parseOctal("0003") }
 
+/** Gets the number corresponding to the read-only file access mode. */
 int o_rdonly() { result = parseOctal("00") }
 
+/** Gets the number corresponding to the write-only file access mode. */
 int o_wronly() { result = parseOctal("01") }
 
+/** Gets the number corresponding to the read-and-write file access mode. */
 int o_rdwr() { result = parseOctal("02") }
 
+/** Gets the number corresponding to the file creation flag O_CREAT on Linux. */
 int o_creat() { result = parseOctal("0100") }
 
+/** Gets the number corresponding to the file creation flag O_EXCL on Linux. */
 int o_excl() { result = parseOctal("0200") }

cpp/ql/src/semmle/code/cpp/controlflow/DefinitionsAndUses.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about definitions and uses of variables.
+ */
+
 import cpp
 private import semmle.code.cpp.controlflow.StackVariableReachability
 private import semmle.code.cpp.dataflow.EscapesTree
@@ -135,6 +139,7 @@ library class DefOrUse extends ControlFlowNodeBase {
   }
 }
 
+/** A definition of a stack variable. */
 library class Def extends DefOrUse {
   Def() { definition(_, this) }
 
@@ -149,6 +154,7 @@ private predicate parameterIsOverwritten(Function f, Parameter p) {
   definitionBarrier(p, _)
 }
 
+/** A definition of a parameter. */
 library class ParameterDef extends DefOrUse {
   ParameterDef() {
     // Optimization: parameters that are not overwritten do not require
@@ -162,6 +168,7 @@ library class ParameterDef extends DefOrUse {
   }
 }
 
+/** A use of a stack variable. */
 library class Use extends DefOrUse {
   Use() { useOfVar(_, this) }
 

cpp/ql/src/semmle/code/cpp/controlflow/Dereferenced.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides predicates for detecting whether an expression dereferences a pointer.
+ */
+
 import cpp
 import Nullness
 

cpp/ql/src/semmle/code/cpp/controlflow/Guards.qll

@@ -1,3 +1,8 @@
+/**
+ * Provides classes and predicates for reasoning about guards and the control
+ * flow elements controlled by those guards.
+ */
+
 import cpp
 import semmle.code.cpp.controlflow.BasicBlocks
 import semmle.code.cpp.controlflow.SSA

cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll

@@ -1,3 +1,8 @@
+/**
+ * Provides classes and predicates for reasoning about guards and the control
+ * flow elements controlled by those guards.
+ */
+
 import cpp
 import semmle.code.cpp.ir.IR
 
@@ -32,7 +37,7 @@ class GuardCondition extends Expr {
   }
 
   /**
-   * Holds if this condition controls `block`, meaning that `block` is only
+   * Holds if this condition controls `controlled`, meaning that `controlled` is only
    * entered if the value of this condition is `testIsTrue`.
    *
    * Illustration:
@@ -253,7 +258,7 @@ class IRGuardCondition extends Instruction {
   IRGuardCondition() { branch = get_branch_for_condition(this) }
 
   /**
-   * Holds if this condition controls `block`, meaning that `block` is only
+   * Holds if this condition controls `controlled`, meaning that `controlled` is only
    * entered if the value of this condition is `testIsTrue`.
    *
    * Illustration:
@@ -290,6 +295,10 @@ class IRGuardCondition extends Instruction {
     )
   }
 
+  /**
+   * Holds if the control-flow edge `(pred, succ)` may be taken only if
+   * the value of this condition is `testIsTrue`.
+   */
   cached
   predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
     pred.getASuccessor() = succ and

cpp/ql/src/semmle/code/cpp/controlflow/Nullness.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates for working with null values and checks for nullness.
+ */
+
 import cpp
 import DefinitionsAndUses
 

cpp/ql/src/semmle/code/cpp/controlflow/SSA.qll

@@ -1,7 +1,15 @@
+/**
+ * Provides classes and predicates for SSA representation (Static Single Assignment form).
+ */
+
 import cpp
 import semmle.code.cpp.controlflow.Dominance
 import SSAUtils
 
+/**
+ * The SSA logic comes in two versions: the standard SSA and range-analysis RangeSSA.
+ * This class provides the standard SSA logic.
+ */
 library class StandardSSA extends SSAHelper {
   StandardSSA() { this = 0 }
 }
@@ -50,11 +58,13 @@ class SsaDefinition extends ControlFlowNodeBase {
    */
   ControlFlowNode getDefinition() { result = this }
 
+  /** Gets the `BasicBlock` containing this definition. */
   BasicBlock getBasicBlock() { result.contains(getDefinition()) }
 
   /** Holds if this definition is a phi node for variable `v`. */
   predicate isPhiNode(StackVariable v) { exists(StandardSSA x | x.phi_node(v, this.(BasicBlock))) }
 
+  /** Gets the location of this definition. */
   Location getLocation() { result = this.(ControlFlowNode).getLocation() }
 
   /** Holds if the SSA variable `(this, p)` is defined by parameter `p`. */

cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates for use in the SSA library.
+ */
+
 import cpp
 import semmle.code.cpp.controlflow.Dominance
 import semmle.code.cpp.controlflow.SSA // must be imported for proper caching of SSAHelper

cpp/ql/src/semmle/code/cpp/controlflow/StackVariableReachability.qll

@@ -1,3 +1,8 @@
+/**
+ * Provides a library for working with local (intra-procedural) control-flow
+ * reachability involving stack variables.
+ */
+
 import cpp
 
 /**