The following changes in version 1.23 affect C/C++ analysis in all applications.
- The data-flow library in
semmle.code.cpp.dataflow.DataFlowandsemmle.code.cpp.dataflow.TaintTrackinghave had extensive changes:- Data flow through fields is now more complete and reliable.
- The data-flow library has been extended with a new feature to aid debugging.
Previously, to explore the possible flow from all sources you could specify
isSink(Node n) { any() }on a configuration. Now you can use the newConfiguration::hasPartialFlowpredicate, which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink. The feature is disabled by default and can be enabled for individual configurations by overridingint explorationLimit(). - There is now flow out of C++ reference parameters.
- There is now flow through the address-of operator (
&). - The
DataFlow::DefinitionByReferenceNodeclass now considersf(x)to be a definition ofxwhenxis a variable of pointer type. It no longer considers deep paths such asf(&x.myField)to be definitions ofx. These changes are in line with the user expectations we've observed. - It's now easier to specify barriers/sanitizers
arising from guards by overriding the predicate
isBarrierGuard/isSanitizerGuardon data-flow and taint-tracking configurations respectively. - There is now a
DataFlow::localExprFlowpredicate and aTaintTracking::localExprTaintpredicate to make it easy to use the most common case of local data flow and taint: from oneExprto another.
- The member predicates of the
FunctionInputandFunctionOutputclasses have been renamed for clarity (for example,isOutReturnPointer()toisReturnValueDeref()). The existing member predicates have been deprecated, and will be removed in a future release. Code that uses the old member predicates should be updated to use the corresponding new member predicate. - The predicate
Declaration.hasGlobalOrStdNamehas been added, making it easier to recognize C library functions called from C++. - The control-flow graph is now computed in QL, not in the extractor. This can lead to changes in how queries are optimized because optimization in QL relies on static size estimates, and the control-flow edge relations will now have different size estimates than before.
- Support has been added for non-type template arguments. This means that the
return type of
Declaration::getTemplateArgument()andDeclaration::getATemplateArgumenthave changed toLocatable. For details, see the CodeQL library documentation forDeclaration::getTemplateArgument()andDeclaration::getTemplateArgumentKind().
