Merge rc/1.18 into master.

Author: adityasharad

cpp/ql/src/Documentation/CommentedOutCode.qll

@@ -119,7 +119,7 @@ class CommentBlock extends Comment {
      */
     predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
         this.getLocation().hasLocationInfo(filepath, startline, startcolumn, _, _) and
-        this.lastComment().getLocation().hasLocationInfo(filepath, _, _, endline, endcolumn)
+        this.lastComment().getLocation().hasLocationInfo(_, _, _, endline, endcolumn)
     }
 }
 

cpp/ql/src/META-INF/MANIFEST.MF

@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: Semmle C/C++ Default Queries
 Bundle-SymbolicName: com.semmle.plugin.semmlecode.cpp.queries;singleton:=true
-Bundle-Version: 1.18.0.qualifier
+Bundle-Version: 1.18.1.qualifier
 Bundle-Vendor: Semmle Ltd.
 Bundle-ActivationPolicy: lazy
-Require-Bundle: com.semmle.plugin.qdt.ui;bundle-version="[1.18.0.qualifier,1.18.0.qualifier]"
+Require-Bundle: com.semmle.plugin.qdt.ui;bundle-version="[1.18.1.qualifier,1.18.1.qualifier]"

cpp/ql/src/semmle/code/cpp/Element.qll

@@ -2,41 +2,38 @@ import semmle.code.cpp.Location
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
 
-/**
- * Get the `@element` that represents this `@element`.
- * Normally this will simply be `e`, but sometimes it is not.
- * For example, for an incomplete struct `e` the result may be a
- * complete struct with the same name.
- */
-private cached @element resolveElement(@element e) {
-  if isClass(e)
-  then result = resolveClass(e)
-  else result = e
-}
-
 /**
  * Get the `Element` that represents this `@element`.
  * Normally this will simply be a cast of `e`, but sometimes it is not.
  * For example, for an incomplete struct `e` the result may be a
  * complete struct with the same name.
  */
+pragma[inline]
 Element mkElement(@element e) {
-  result = resolveElement(e)
+  unresolveElement(result) = e
 }
 
 /**
- * Get an `@element` that resolves to the `Element`. This should
+ * INTERNAL: Do not use.
+ *
+ * Gets an `@element` that resolves to the `Element`. This should
  * normally only be called from member predicates, where `e` is not
  * `this` and you need the result for an argument to a database
  * extensional.
  * See `underlyingElement` for when `e` is `this`.
  */
+pragma[inline]
 @element unresolveElement(Element e) {
-  resolveElement(result) = e
+  not result instanceof @usertype and
+  result = e
+  or
+  e = resolveClass(result)
 }
 
 /**
- * Get the `@element` that this `Element` extends. This should normally
+ * INTERNAL: Do not use.
+ *
+ * Gets the `@element` that this `Element` extends. This should normally
  * only be called from member predicates, where `e` is `this` and you
  * need the result for an argument to a database extensional.
  * See `unresolveElement` for when `e` is not `this`.
@@ -53,10 +50,6 @@ Element mkElement(@element e) {
  * `getLocation`, or `hasLocationInfo`.
  */
 class ElementBase extends @element {
-  ElementBase() {
-    this = resolveElement(_)
-  }
-
   /** Gets a textual representation of this element. */
   string toString() { none() }
 }

cpp/ql/src/semmle/code/cpp/Specifier.qll

@@ -294,13 +294,13 @@ class AttributeArgument extends Element, @attribute_arg {
   }
 
   override string toString() {
-    if exists (@attribute_arg_empty self | mkElement(self) = this)
+    if exists (@attribute_arg_empty self | self = underlyingElement(this))
       then result = "empty argument"
       else exists (string prefix, string tail
            | (if exists(getName())
                 then prefix = getName() + "="
                 else prefix = "") and
-             (if exists (@attribute_arg_type self | mkElement(self) = this)
+             (if exists (@attribute_arg_type self | self = underlyingElement(this))
                 then tail = getValueType().getName()
                 else tail = getValueText()) and
              result = prefix + tail)

cpp/ql/src/semmle/code/cpp/Type.qll

@@ -7,6 +7,8 @@ private import semmle.code.cpp.internal.ResolveClass
  * A C/C++ type.
  */
 class Type extends Locatable, @type {
+  Type() { isType(underlyingElement(this)) }
+
   /**
    * Gets the name of this type.
    */

cpp/ql/src/semmle/code/cpp/internal/ResolveClass.qll

@@ -54,4 +54,10 @@ cached private module Cached {
     (usertypes(t,_,1) or usertypes(t,_,2) or usertypes(t,_,3) or usertypes(t,_,6)
     or usertypes(t,_,10) or usertypes(t,_,11) or usertypes(t,_,12))
   }
+
+  cached predicate isType(@type t) {
+    not isClass(t)
+    or
+    t = resolveClass(_)
+  }
 }

cpp/ql/src/semmle/code/cpp/pointsto/PointsTo.qll

@@ -633,12 +633,26 @@ class PointsToExpr extends Expr
   pragma[noopt]
   Element pointsTo()
   {
-    this.interesting() and exists(int set, @element thisEntity, @element resultEntity | thisEntity = underlyingElement(this) and pointstosets(set, thisEntity) and setlocations(set, resultEntity) and resultEntity = unresolveElement(result))
+    this.interesting() and
+    exists(int set, @element thisEntity, @element resultEntity |
+      thisEntity = underlyingElement(this) and
+      pointstosets(set, thisEntity) and
+      setlocations(set, resultEntity) and
+      resultEntity = localUnresolveElement(result)
+    )
   }
 
   float confidence() { result = 1.0 / count(this.pointsTo()) }
 }
 
+/*
+ * This is used above in a `pragma[noopt]` context, which prevents its
+ * customary inlining. We materialise it explicitly here.
+ */
+private @element localUnresolveElement(Element e) {
+  result = unresolveElement(e)
+}
+
 /**
  * Holds if anything points to an element, that is, is equivalent to:
  * ```

cpp/ql/src/semmle/code/cpp/security/Overflow.qll

@@ -13,6 +13,7 @@ predicate guardedAbs(Operation e, Expr use) {
 }
 
 /** is the size of this use guarded to be less than something? */
+pragma[nomagic]
 predicate guardedLesser(Operation e, Expr use) {
   exists(IfStmt c, RelationalOperation guard |
     use = guard.getLesserOperand().getAChild*() and
@@ -33,6 +34,7 @@ predicate guardedLesser(Operation e, Expr use) {
 }
 
 /** is the size of this use guarded to be greater than something? */
+pragma[nomagic]
 predicate guardedGreater(Operation e, Expr use) {
   exists(IfStmt c, RelationalOperation guard |
     use = guard.getGreaterOperand().getAChild*() and

cpp/ql/test/library-tests/templates/CPP-204/element.expected

@@ -34,7 +34,6 @@
 | test.cpp:8:31:8:35 | initializer for Value |
 | test.cpp:11:10:11:11 | mention of EC |
 | test.cpp:11:25:11:27 | mention of IsX<X> |
-| test.cpp:11:25:11:27 | mention of IsX<X> |
 | test.cpp:12:8:12:9 | DX<X, B> |
 | test.cpp:12:8:12:9 | definition of DX<X, B> |
 | test.cpp:13:17:13:20 | Type |

csharp/ql/src/META-INF/MANIFEST.MF

@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: Semmle C# Default Queries
 Bundle-SymbolicName: com.semmle.plugin.semmlecode.csharp.queries;singleton:=true
-Bundle-Version: 1.18.0.qualifier
+Bundle-Version: 1.18.1.qualifier
 Bundle-Vendor: Semmle Ltd.
 Bundle-ActivationPolicy: lazy
-Require-Bundle: com.semmle.plugin.qdt.ui;bundle-version="[1.18.0.qualifier, 1.18.0.qualifier]"
+Require-Bundle: com.semmle.plugin.qdt.ui;bundle-version="[1.18.1.qualifier,1.18.1.qualifier]"