Misc. FP fixes.

Author: bdrodes

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -535,7 +535,9 @@ class TimeConversionFunction extends Function {
         "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
         "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
         "RtlTimeToSecondsSince1970", "_mkgmtime", "SetSystemTime", "SystemTimeToVariantTime",
-        "VariantTimeToSystemTime", "mktime", "_mktime32", "_mktime64"
+        "VariantTimeToSystemTime", "mktime", "_mktime32", "_mktime64", "VarUdateFromDate"
       ]
+    or
+    this.getQualifiedName().matches("GetDateFormat%")
   }
 }

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql

@@ -57,6 +57,21 @@ class IgnorableFunction extends Function {
     // A postgres function for local time conversions
     // conversion operations (from one time structure to another) are generally ignorable
     this.getName() = "localsub"
+    or
+    // Hijri years are not applicable for gregorian leap year checks
+    this.getName().toLowerCase().matches("%hijri%")
+    or
+    this.getFile().getBaseName().toLowerCase().matches("%hijri%")
+    or
+    // Persian calendar conversions are not applicable for gregorian leap year checks
+    this.getName().toLowerCase().matches("%persian%")
+    or
+    this.getFile().getBaseName().toLowerCase().matches("%persian%")
+    // or
+    // // Functions with "convert" in the name are often conversion functions
+    // // This is a very broad heuristic to handle a few observed false positives
+    // // involving conversions with Hijri years.
+    // this.getName().toLowerCase().matches("%convert%")
   }
 }
 
@@ -123,17 +138,21 @@ predicate isLikelyConversionConstant(int c) {
     i = 2400000 or // MJD → JDN conversion
     i = 2400001 or // alt MJD → JDN conversion
     i = 2141 or // fixed‑point month/day extraction
-    i = 2000 or // observed in some conversions
     i = 65536 or // observed in some conversions
     i = 7834 or // observed in some conversions
     i = 256 or // observed in some conversions
-    i = 1900 or // struct tm base‑year offset; harmless
-    i = 1899 or // Observed in uses with 1900 to address off by one scenarios
     i = 292275056 or // qdatetime.h Qt Core year range first year constant
     i = 292278994 or // qdatetime.h Qt Core year range last year constant
     i = 1601 or // Windows FILETIME epoch start year
     i = 1970 or // Unix epoch start year
     i = 70 or // Unix epoch start year short form
+    i = 1899 or // Observed in uses with 1900 to address off by one scenarios
+    i = 1900 or // Used when converting a 2 digit year
+    i = 2000 or // Used when converting a 2 digit year
+    i = 1400 or // Hijri base year, used when converting a 2 digit year
+    i = 1980 or // FAT filesystem epoch start year
+    i = 227013 or // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year
+    i = 10631 or // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year
     i = 0
   )
 }
@@ -375,6 +394,12 @@ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
     or
     n.asExpr() instanceof IgnorableOperation
     or
+    // Hijri or Persian  years are not applicable for gregorian leap year checks
+    exists(Variable v |
+      v.getName().toLowerCase().matches(["%hijri%, %persian%"]) and
+      v.getAnAccess() = [n.asIndirectExpr(), n.asExpr()]
+    )
+    or
     isLeapYearCheckSink(n)
   }
 
@@ -404,7 +429,17 @@ module YearFieldAccessToLeapYearCheckConfig implements DataFlow::ConfigSig {
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // flow from a YearFieldAccess to the qualifier
-    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier()
+    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*()
+    or
+    // Pass through any intermediate struct
+    exists(Assignment a, DataFlow::PostUpdateNode pun |
+      a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and
+      a.getRValue() = node1.asExpr() and
+      node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*()
+    )
+    or
+    // flow from a year access qualifier to a year field
+    exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier())
   }
 
   /**
@@ -428,7 +463,7 @@ predicate isYearModifiedWithCheck(YearFieldAccess fa) {
   // assume the leap year is being handled.
   exists(TimeStructToCheckedTimeConversionFlow::PathNode timeQualSrc |
     timeQualSrc.isSource() and
-    timeQualSrc.getNode().asExpr() = fa.getQualifier()
+    timeQualSrc.getNode().asExpr() = fa.getQualifier*()
   )
   // or
   // isUsedInFeb29Check(fa)
@@ -491,9 +526,13 @@ module TimeStructToCheckedTimeConversionConfig implements DataFlow::StateConfigS
   predicate isSink(DataFlow::Node sink, FlowState state) {
     state = true and
     (
-      exists(IfStmt ifs | ifs.getCondition().getAChild*() = sink.asExpr())
+      exists(IfStmt ifs | ifs.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()])
+      or
+      exists(ConditionalExpr ce |
+        ce.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]
+      )
       or
-      exists(ConditionalExpr ce | ce.getCondition().getAChild*() = sink.asExpr())
+      exists(Loop l | l.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()])
     )
   }
 
@@ -504,11 +543,26 @@ module TimeStructToCheckedTimeConversionConfig implements DataFlow::StateConfigS
     state2 = true and
     exists(Call c |
       c.getTarget() instanceof TimeConversionFunction and
-      c.getAnArgument().getAChild*() = node1.asExpr() and
+      c.getAnArgument().getAChild*() = [node1.asExpr(), node1.asIndirectExpr()] and
       node2.asExpr() = c
     )
   }
 
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // flow from a YearFieldAccess to the qualifier
+    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*()
+    or
+    // Pass through any intermediate struct
+    exists(Assignment a, DataFlow::PostUpdateNode pun |
+      a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and
+      a.getRValue() = node1.asExpr() and
+      node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*()
+    )
+    or
+    // flow from a year access qualifier to a year field
+    exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier())
+  }
+
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 }
 
@@ -543,7 +597,7 @@ module ParameterToLeapYearCheckConfig implements DataFlow::ConfigSig {
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // flow from a YearFieldAccess to the qualifier
-    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier()
+    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*()
     or
     // flow from a year access qualifier to a year field
     exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier())
@@ -656,35 +710,56 @@ class LeapYearGuardCondition extends GuardCondition {
   }
 }
 
+/**
+ * A difficult case to detect is if a year modification is tied to a month modification
+ * and the month is safe for leap year.
+ *    e.g.,
+ *          year++;
+ *          month = 1;
+ *        ... values eventually used in the same time struct
+ * If this is even more challenging if the struct the values end up in are not
+ * local (set inter-procedurally).
+ * This flow flows constants 1-12 (but not 2 as this likely means february) to a month assignment.
+ * It is assumed a user of this flow will check if the month/day source and month/day sink
+ * are in the same basic blocks as a year modification source and a year modification sink.
+ * It is also assumed a user will check if the constant source is a value that is ignorable
+ * e.g., if it is 2 and the sink is a month assignment, then it isn't ignorable.
+ *
+ * Obviously this does not handle all conditions (e.g., the month set in another block).
+ * It is meant to capture the most common cases of false positives.
+ */
+module NonFebConstantToMonthAssignmentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().getValue().toInt() in [1 .. 12] and
+    source.asExpr().getValue().toInt() != 2
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Assignment a |
+      a.getLValue() instanceof MonthFieldAccess and
+      a.getRValue() = sink.asExpr()
+    )
+  }
+}
+
+// NOTE: only data flow here (no taint tracking) as we want the exact
+// constant flowing to the month assignment
+module NonFebConstantToMonthAssignmentFlow =
+  DataFlow::Global<NonFebConstantToMonthAssignmentConfig>;
+
 import OperationToYearAssignmentFlow::PathGraph
 
 from OperationToYearAssignmentFlow::PathNode src, OperationToYearAssignmentFlow::PathNode sink
 where
   OperationToYearAssignmentFlow::flowPath(src, sink) and
   not isYearModifiedWithCheck(sink.getNode().asExpr().(YearFieldAssignment).getYearFieldAccess()) and
   not isControlledByMonthEqualityCheckNonFebruary(sink.getNode().asExpr()) and
-  // TODO: this is an older heuristic that should be reassessed.
-  // The heuristic stipulates that if a month or day is set to a constant in the local flow up to or after
-  // a modified year's sink, then assume the user is knowingly handling the conversion correctly.
-  // There is no interpretation of the assignment of the month/day or consideration for what branch the assignment is on.
-  // Merely if the assignment of a constant day/month occurs anywhere, the year modification can likely
-  // be ignored.
-  not exists(FieldAccess mfa, AssignExpr ae, YearFieldAccess yfa, int val, Variable var |
-    mfa instanceof MonthFieldAccess or mfa instanceof DayFieldAccess
-  |
-    yfa = sink.getNode().asExpr().(YearFieldAssignment).getYearFieldAccess() and
-    var.getAnAccess() = yfa.getQualifier() and
-    mfa.getQualifier() = var.getAnAccess() and
-    mfa.isModified() and
-    (
-      mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or
-      yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+()
-    ) and
-    ae = mfa.getEnclosingElement() and
-    ae.getAnOperand().getValue().toInt() = val and
-    // If the constant looks like it relates to february, then there still might be an error
-    // so only look for any other constant.
-    not val in [2, 28, 29]
+  // Check if a month is set in the same block as the year operation source
+  // to a month that would be considered safe.
+  not exists(DataFlow::Node monthValSrc, DataFlow::Node monthValSink |
+    NonFebConstantToMonthAssignmentFlow::flow(monthValSrc, monthValSink) and
+    monthValSrc.asExpr().getBasicBlock() = src.getNode().asExpr().getBasicBlock() and
+    monthValSink.asExpr().getBasicBlock() = sink.getNode().asExpr().getBasicBlock()
   )
 select sink, src, sink,
   "Year field has been modified, but no appropriate check for LeapYear was found."

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected

@@ -6,8 +6,6 @@
 | test.cpp:769:22:769:23 | 80 | test.cpp:769:22:769:23 | 80 | test.cpp:769:22:769:23 | 80 | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:21:813:40 | ... + ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:13:818:24 | ... + ... | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:857:33:857:36 | year | test.cpp:854:14:854:31 | ... + ... | test.cpp:857:33:857:36 | year | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:857:33:857:36 | year | test.cpp:854:35:854:40 | -- ... | test.cpp:857:33:857:36 | year | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:954:14:954:25 | ... + ... | test.cpp:954:14:954:25 | ... + ... | test.cpp:954:14:954:25 | ... + ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1075:2:1075:11 | ... ++ | test.cpp:1075:2:1075:11 | ... ++ | test.cpp:1075:2:1075:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
@@ -29,6 +27,11 @@ edges
 | test.cpp:1183:10:1183:15 | offset | test.cpp:1183:2:1183:15 | ... += ... | provenance |  |
 | test.cpp:1202:2:1202:15 | ... += ... | test.cpp:1204:16:1204:19 | year | provenance |  |
 | test.cpp:1202:10:1202:15 | offset | test.cpp:1202:2:1202:15 | ... += ... | provenance |  |
+| test.cpp:1288:20:1288:23 | year | test.cpp:1291:14:1291:17 | year | provenance |  |
+| test.cpp:1306:12:1306:17 | ... + ... | test.cpp:1288:20:1288:23 | year | provenance |  |
+| test.cpp:1325:3:1325:20 | ... = ... | test.cpp:1327:12:1327:18 | yeartmp | provenance |  |
+| test.cpp:1325:13:1325:20 | ... + ... | test.cpp:1325:3:1325:20 | ... = ... | provenance |  |
+| test.cpp:1327:12:1327:18 | yeartmp | test.cpp:1288:20:1288:23 | year | provenance |  |
 nodes
 | test.cpp:422:14:422:14 | 2 | semmle.label | 2 |
 | test.cpp:440:2:440:11 | ... ++ | semmle.label | ... ++ |
@@ -77,6 +80,18 @@ nodes
 | test.cpp:1257:16:1257:28 | ... + ... | semmle.label | ... + ... |
 | test.cpp:1263:16:1263:28 | ... + ... | semmle.label | ... + ... |
 | test.cpp:1277:14:1277:26 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1288:20:1288:23 | year | semmle.label | year |
+| test.cpp:1291:14:1291:17 | year | semmle.label | year |
+| test.cpp:1301:15:1301:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1306:12:1306:17 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1315:15:1315:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1325:3:1325:20 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1325:13:1325:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1327:12:1327:18 | yeartmp | semmle.label | yeartmp |
+| test.cpp:1340:15:1340:27 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1353:13:1353:25 | ... + ... | semmle.label | ... + ... |
 subpaths
 testFailures
+| test.cpp:854:43:854:53 | // $ Source | Missing result: Source |
+| test.cpp:857:39:857:125 | // $ Alert[cpp/microsoft/public/leap-year/unchecked-after-arithmetic-year-modification] | Missing result: Alert[cpp/microsoft/public/leap-year/unchecked-after-arithmetic-year-modification] |
 | test.cpp:1075:2:1075:11 | ... ++ | Unexpected result: Alert |

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp

@@ -819,7 +819,7 @@ void test(int x)
 }
 
 /**
- * Positive AntiPattern 1
+ * Positive AntiPattern 1 NOTE: historically considered positive but mktime checks year validity, needs re-assessment
  * Year field is modified but via an intermediary variable.
 */
 bool tp_intermediaryVar(struct timespec now, struct logtime &timestamp_remote)
@@ -1285,4 +1285,80 @@ void indirect_time_conversion_check(WORD year, WORD offset){
 	bool x = (res == 0) ? true : false;
 }
 
+void set_time(WORD year, WORD month, WORD day){
+	SYSTEMTIME tmp;
+
+	tmp.wYear = year;
+	tmp.wMonth = month;
+	tmp.wDay = day;
+}
+
+void constant_month_on_year_modification1(WORD year, WORD offset, WORD month){
+	SYSTEMTIME tmp;
+
+	if(month++ > 12){
+		tmp.wMonth = 1;
+		tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year month change
+	}
+
+	if(month++ > 12){
+
+		set_time(year+1, 1, 1);// OK since the year is incremented with a known non-leap year month change
+	}
+}
+
+void constant_month_on_year_modification2(WORD year, WORD offset, WORD month){
+	SYSTEMTIME tmp;
+
+	if(month++ > 12){
+		tmp.wMonth = 1;
+		tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year month change
+	}
+
+	
+	if(month++ > 12){
+		// some hueristics to detect a false positive here rely on variable names
+		// which is often consistent in the wild. 
+		// This variant uses the variable names yeartmp and monthtmp
+		WORD yeartmp;
+		WORD monthtmp;
+		yeartmp = year + 1;
+		monthtmp = 1;
+		set_time(yeartmp, monthtmp, 1);// OK since the year is incremented with a known non-leap year month change
+	}
+}
+
+typedef struct parent_struct {
+	SYSTEMTIME t;
+} PARENT_STRUCT;
+
+
+
+void nested_time_struct(WORD year, WORD offset){
+	PARENT_STRUCT ps;
+
+	ps.t.wYear = year + offset; // OK, checked below
+
+	bool isLeap = isLeapYearRaw(ps.t.wYear);
+
+	if(isLeap){
+		// do something
+	}
+}
+
+void intermediate_time_struct(WORD year, WORD offset){
+	SYSTEMTIME tm, tm2;
+	FILETIME ftTime;
+
+	tm.wYear = year + offset; 
+
+	tm2.wYear = tm.wYear;
+
+
+	while ( !SystemTimeToFileTime( &tm2, &ftTime ) )
+	{
+		/// handle error
+	}
+
+}