From 7a6f33890f5f2d4c41718c67380933786cd3665e Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Sat, 24 Aug 2019 10:48:42 +0100 Subject: [PATCH 1/4] Fix sort order for table --- change-notes/1.22/analysis-cpp.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 92357b849aad..1e2e71e4d73a 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -1,12 +1,5 @@ # Improvements to C/C++ analysis -## General improvements - -## New queries - -| **Query** | **Tags** | **Purpose** | -|-----------------------------|-----------|--------------------------------------------------------------------| - ## Changes to existing queries | **Query** | **Expected impact** | **Change** | @@ -15,9 +8,9 @@ | Continue statement that does not continue (`cpp/continue-in-false-loop`) | Fewer false positive results | Analysis is now restricted to `do`-`while` loops. This query is now run and displayed by default on LGTM. | | Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side effect free, because they could be overridden with a different implementation at link time. | | No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positives involving strings that are not null-terminated have been excluded. | +| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Rewritten using the taint-tracking library. | | Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results and more true positive results | The query now understands the direction of each comparison, making it more accurate. | | Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Lower precision | The precision of this query has been reduced to "medium". This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. | -| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Rewritten using the taint-tracking library. | | Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positives for constant variables with the same name in different namespaces have been removed. | ## Changes to QL libraries From 22833251dbfe5b2246a66eb49c1b3055b64356ed Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Sat, 24 Aug 2019 10:55:50 +0100 Subject: [PATCH 2/4] Minor tidying up --- change-notes/1.22/analysis-cpp.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 1e2e71e4d73a..5b2122d36da1 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -1,17 +1,19 @@ # Improvements to C/C++ analysis +The following changes in version 1.22 affect C/C++ analysis in all applications. + ## Changes to existing queries | **Query** | **Expected impact** | **Change** | |----------------------------|------------------------|------------------------------------------------------------------| -| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | Fixed false positives where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. | +| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | The query no longer highlights code where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. | | Continue statement that does not continue (`cpp/continue-in-false-loop`) | Fewer false positive results | Analysis is now restricted to `do`-`while` loops. This query is now run and displayed by default on LGTM. | -| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side effect free, because they could be overridden with a different implementation at link time. | -| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positives involving strings that are not null-terminated have been excluded. | -| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Rewritten using the taint-tracking library. | -| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results and more true positive results | The query now understands the direction of each comparison, making it more accurate. | +| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side-effect free, because they could be overridden with a different implementation at link time. | +| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positive results for strings that are not null-terminated have been excluded. | +| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | The query was rewritten using the taint-tracking library. | +| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive and more true positive results | The query now understands the direction of each comparison, making it more accurate. | | Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Lower precision | The precision of this query has been reduced to "medium". This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. | -| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positives for constant variables with the same name in different namespaces have been removed. | +| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positive results for constant variables with the same name in different namespaces have been removed. | ## Changes to QL libraries @@ -22,7 +24,7 @@ - Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it. - The `semmle.code.cpp.models` library now models data flow through `std::swap`. - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`. -- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries. +- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries. - The possibility of specifying barrier edges using `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking configurations has been replaced with the option of specifying in- and From 88a6cc091485fd0214b0d635225baef20d7b073b Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Sat, 24 Aug 2019 11:40:38 +0100 Subject: [PATCH 3/4] Update change-notes/1.22/analysis-cpp.md Co-Authored-By: Nick Rolfe --- change-notes/1.22/analysis-cpp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 5b2122d36da1..9334e0e5038a 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -21,7 +21,7 @@ The following changes in version 1.22 affect C/C++ analysis in all applications. - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`". This may improve performance when using `Element.toString()` or its descendants. - The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow. - The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name. -- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it. +- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it. - The `semmle.code.cpp.models` library now models data flow through `std::swap`. - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`. - Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries. From c164d9390c044465f2b72e4ae2afd71689bbeacd Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Sat, 24 Aug 2019 11:48:07 +0100 Subject: [PATCH 4/4] Add a note about QLDoc comments The changes aren't finished in this release, but there widespread enough we should acknowledge them. Originally https://github.com/Semmle/ql/pull/1812. --- change-notes/1.22/analysis-cpp.md | 1 + 1 file changed, 1 insertion(+) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 9334e0e5038a..933114186f8e 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -32,3 +32,4 @@ The following changes in version 1.22 affect C/C++ analysis in all applications. `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively, as it does not require knowledge about the actual edges used internally by the library. +- C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries.