From 1900734484ef80b46d041d0ab00461e5e30222df Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Sat, 24 Aug 2019 16:49:39 +0200 Subject: [PATCH 1/3] C++: Reorganize the data flow change note This groups the change notes that concern the `DataFlow` library and clarifies the change notes that concern the two different `TaintTracking` libraries. --- change-notes/1.22/analysis-cpp.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 933114186f8e..1dab57eacb03 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -17,19 +17,22 @@ The following changes in version 1.22 affect C/C++ analysis in all applications. ## Changes to QL libraries +- The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the + following improvements, all of which benefit the taint tracking library + (`semmle.code.cpp.dataflow.TaintTracking`) as well. + - The possibility of specifying barrier edges using + `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking + configurations has been replaced with the option of specifying in- and + out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and + `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively, + as it does not require knowledge about the actual edges used internally by + the library. + - The library now models data flow through `std::swap`. + - Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries. +- In the `semmle.code.cpp.dataflow.TaintTracking` library, the second copy of `Configuration` has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name. +- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow. - The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`). - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`". This may improve performance when using `Element.toString()` or its descendants. -- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow. -- The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name. - Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it. -- The `semmle.code.cpp.models` library now models data flow through `std::swap`. - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`. -- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries. -- The possibility of specifying barrier edges using - `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking - configurations has been replaced with the option of specifying in- and - out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and - `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively, - as it does not require knowledge about the actual edges used internally by - the library. - C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries. From e379a60142f7b20aa852cc44dda0ce65fd748c33 Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Sat, 24 Aug 2019 16:53:46 +0200 Subject: [PATCH 2/3] C++: Change note for flow through fields --- change-notes/1.22/analysis-cpp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 1dab57eacb03..48584bd5d223 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -20,6 +20,9 @@ The following changes in version 1.22 affect C/C++ analysis in all applications. - The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the following improvements, all of which benefit the taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) as well. + - This release includes preliminary support for flow interprocedural through + fields (non-static data members). In some cases, data stored in a field in + one function can flow to a read of the same field in a different function. - The possibility of specifying barrier edges using `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking configurations has been replaced with the option of specifying in- and From 83e0a65c710b1ed0a86419108431a74967dcc2cd Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Sat, 24 Aug 2019 17:09:58 +0200 Subject: [PATCH 3/3] C++: improved wording --- change-notes/1.22/analysis-cpp.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/change-notes/1.22/analysis-cpp.md b/change-notes/1.22/analysis-cpp.md index 48584bd5d223..3a2ac717cbf1 100644 --- a/change-notes/1.22/analysis-cpp.md +++ b/change-notes/1.22/analysis-cpp.md @@ -20,9 +20,10 @@ The following changes in version 1.22 affect C/C++ analysis in all applications. - The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the following improvements, all of which benefit the taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) as well. - - This release includes preliminary support for flow interprocedural through + - This release includes preliminary support for interprocedural flow through fields (non-static data members). In some cases, data stored in a field in - one function can flow to a read of the same field in a different function. + one function can now flow to a read of the same field in a different + function. - The possibility of specifying barrier edges using `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking configurations has been replaced with the option of specifying in- and