github
diff --git a/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 3 additions & 2 deletions b/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎change-notes/1.26/analysis-csharp.md‎
Lines changed: 29 additions & 0 deletions b/‎change-notes/1.26/analysis-csharp.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 67 additions & 46 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 67 additions & 46 deletions
@@ -14,11 +14,12 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
 | Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
 
 ## Changes to libraries
 
 * The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
-* The models library now models more taint flows through `std::string`.
+* The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` when `e1` and `e2` are unsigned.
+  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
@@ -0,0 +1,29 @@
+# Improvements to C# analysis
+
+The following changes in version 1.26 affect C# analysis in all applications.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Removal of old queries
+
+## Changes to code extraction
+
+* Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
+
+## Changes to libraries
+
+## Changes to autobuilder
+
+## Changes to tooling support
+
+* The Abstract Syntax Tree of C# files can be printed in Visual Studio Code.
@@ -14,6 +14,8 @@
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
 
+* Analyzing files with the ".cjs" extension is now supported.
+
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 
@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @precision high
+ * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
  *       security
 
@@ -1066,7 +1066,7 @@ private module LocalFlowBigStep {
    * Holds if `node` can be the first node in a maximal subsequence of local
    * flow steps in a dataflow path.
    */
-  private predicate localFlowEntry(Node node, Configuration config) {
+  predicate localFlowEntry(Node node, Configuration config) {
     nodeCand2(node, config) and
     (
       config.isSource(node) or
@@ -1650,94 +1650,105 @@ private class AccessPathOption extends TAccessPathOption {
  * Holds if `node` is reachable with access path `ap` from a source in
  * the configuration `config`.
  *
- * The Boolean `fromArg` records whether the node is reached through an
+ * The call context `cc` records whether the node is reached through an
  * argument in a call, and if so, `argAp` records the access path of that
  * argument.
  */
 private predicate flowFwd(
-  Node node, boolean fromArg, AccessPathOption argAp, AccessPathFront apf, AccessPath ap,
+  Node node, CallContext cc, AccessPathOption argAp, AccessPathFront apf, AccessPath ap,
   Configuration config
 ) {
-  flowFwd0(node, fromArg, argAp, apf, ap, config) and
+  flowFwd0(node, cc, argAp, apf, ap, config) and
   flowCand(node, _, _, apf, config)
 }
 
 private predicate flowFwd0(
-  Node node, boolean fromArg, AccessPathOption argAp, AccessPathFront apf, AccessPath ap,
+  Node node, CallContext cc, AccessPathOption argAp, AccessPathFront apf, AccessPath ap,
   Configuration config
 ) {
   flowCand(node, _, _, _, config) and
   config.isSource(node) and
-  fromArg = false and
+  cc instanceof CallContextAny and
   argAp = TAccessPathNone() and
   ap = TNil(getNodeType(node)) and
   apf = ap.(AccessPathNil).getFront()
   or
   flowCand(node, _, _, _, unbind(config)) and
   (
-    exists(Node mid |
-      flowFwd(mid, fromArg, argAp, apf, ap, config) and
-      localFlowBigStep(mid, node, true, _, config, _)
+    exists(Node mid, LocalCallContext localCC |
+      flowFwdLocalEntry(mid, cc, argAp, apf, ap, localCC, config) and
+      localFlowBigStep(mid, node, true, _, config, localCC)
     )
     or
-    exists(Node mid, AccessPathNil nil |
-      flowFwd(mid, fromArg, argAp, _, nil, config) and
-      localFlowBigStep(mid, node, false, apf, config, _) and
+    exists(Node mid, AccessPathNil nil, LocalCallContext localCC |
+      flowFwdLocalEntry(mid, cc, argAp, _, nil, localCC, config) and
+      localFlowBigStep(mid, node, false, apf, config, localCC) and
       apf = ap.(AccessPathNil).getFront()
     )
     or
     exists(Node mid |
       flowFwd(mid, _, _, apf, ap, config) and
       jumpStep(mid, node, config) and
-      fromArg = false and
+      cc instanceof CallContextAny and
       argAp = TAccessPathNone()
     )
     or
     exists(Node mid, AccessPathNil nil |
       flowFwd(mid, _, _, _, nil, config) and
       additionalJumpStep(mid, node, config) and
-      fromArg = false and
+      cc instanceof CallContextAny and
       argAp = TAccessPathNone() and
       ap = TNil(getNodeType(node)) and
       apf = ap.(AccessPathNil).getFront()
     )
   )
   or
   // store
-  exists(TypedContent tc | flowFwdStore(node, tc, pop(tc, ap), apf, fromArg, argAp, config))
+  exists(TypedContent tc | flowFwdStore(node, tc, pop(tc, ap), apf, cc, argAp, config))
   or
   // read
   exists(TypedContent tc |
-    flowFwdRead(node, _, push(tc, ap), apf, fromArg, argAp, config) and
+    flowFwdRead(node, _, push(tc, ap), apf, cc, argAp, config) and
     flowFwdConsCand(tc, apf, ap, config)
   )
   or
   // flow into a callable
-  flowFwdIn(_, node, _, _, apf, ap, config) and
-  fromArg = true and
+  flowFwdIn(_, node, _, cc, _, apf, ap, config) and
   if flowCand(node, true, _, apf, config)
   then argAp = TAccessPathSome(ap)
   else argAp = TAccessPathNone()
   or
   // flow out of a callable
   exists(DataFlowCall call |
-    flowFwdOut(call, node, fromArg, argAp, apf, ap, config) and
-    fromArg = false
+    exists(DataFlowCallable c |
+      flowFwdOut(call, node, any(CallContextNoCall innercc), c, argAp, apf, ap, config) and
+      if reducedViableImplInReturn(c, call) then cc = TReturn(c, call) else cc = TAnyCallContext()
+    )
     or
     exists(AccessPath argAp0 |
       flowFwdOutFromArg(call, node, argAp0, apf, ap, config) and
-      flowFwdIsEntered(call, fromArg, argAp, argAp0, config)
+      flowFwdIsEntered(call, cc, argAp, argAp0, config)
     )
   )
 }
 
+pragma[nomagic]
+private predicate flowFwdLocalEntry(
+  Node node, CallContext cc, AccessPathOption argAp, AccessPathFront apf, AccessPath ap,
+  LocalCallContext localCC, Configuration config
+) {
+  flowFwd(node, cc, argAp, apf, ap, config) and
+  localFlowEntry(node, config) and
+  localCC = getLocalCallContext(cc, node.getEnclosingCallable())
+}
+
 pragma[nomagic]
 private predicate flowFwdStore(
-  Node node, TypedContent tc, AccessPath ap0, AccessPathFront apf, boolean fromArg,
+  Node node, TypedContent tc, AccessPath ap0, AccessPathFront apf, CallContext cc,
   AccessPathOption argAp, Configuration config
 ) {
   exists(Node mid, AccessPathFront apf0 |
-    flowFwd(mid, fromArg, argAp, apf0, ap0, config) and
+    flowFwd(mid, cc, argAp, apf0, ap0, config) and
     flowFwdStore0(mid, tc, node, apf0, apf, config)
   )
 }
@@ -1764,20 +1775,20 @@ private predicate flowFwdStore0(
 
 pragma[nomagic]
 private predicate flowFwdRead0(
-  Node node1, TypedContent tc, AccessPathFrontHead apf0, AccessPath ap0, Node node2,
-  boolean fromArg, AccessPathOption argAp, Configuration config
+  Node node1, TypedContent tc, AccessPathFrontHead apf0, AccessPath ap0, Node node2, CallContext cc,
+  AccessPathOption argAp, Configuration config
 ) {
-  flowFwd(node1, fromArg, argAp, apf0, ap0, config) and
+  flowFwd(node1, cc, argAp, apf0, ap0, config) and
   readCandFwd(node1, tc, apf0, node2, config)
 }
 
 pragma[nomagic]
 private predicate flowFwdRead(
-  Node node, AccessPathFrontHead apf0, AccessPath ap0, AccessPathFront apf, boolean fromArg,
+  Node node, AccessPathFrontHead apf0, AccessPath ap0, AccessPathFront apf, CallContext cc,
   AccessPathOption argAp, Configuration config
 ) {
   exists(Node mid, TypedContent tc |
-    flowFwdRead0(mid, tc, apf0, ap0, node, fromArg, argAp, config) and
+    flowFwdRead0(mid, tc, apf0, ap0, node, cc, argAp, config) and
     flowCand(node, _, _, apf, unbind(config)) and
     flowCandConsCand(tc, apf, unbind(config))
   )
@@ -1795,27 +1806,36 @@ private predicate flowFwdConsCand(
 
 pragma[nomagic]
 private predicate flowFwdIn(
-  DataFlowCall call, ParameterNode p, boolean fromArg, AccessPathOption argAp, AccessPathFront apf,
-  AccessPath ap, Configuration config
+  DataFlowCall call, ParameterNode p, CallContext outercc, CallContext innercc,
+  AccessPathOption argAp, AccessPathFront apf, AccessPath ap, Configuration config
 ) {
-  exists(ArgumentNode arg, boolean allowsFieldFlow |
-    flowFwd(arg, fromArg, argAp, apf, ap, config) and
+  exists(ArgumentNode arg, boolean allowsFieldFlow, DataFlowCallable c |
+    flowFwd(arg, outercc, argAp, apf, ap, config) and
     flowIntoCallNodeCand2(call, arg, p, allowsFieldFlow, config) and
-    flowCand(p, _, _, _, unbind(config))
+    c = p.getEnclosingCallable() and
+    c = resolveCall(call, outercc) and
+    flowCand(p, _, _, _, unbind(config)) and
+    if recordDataFlowCallSite(call, c) then innercc = TSpecificCall(call) else innercc = TSomeCall()
   |
     ap instanceof AccessPathNil or allowsFieldFlow = true
   )
 }
 
 pragma[nomagic]
 private predicate flowFwdOut(
-  DataFlowCall call, Node node, boolean fromArg, AccessPathOption argAp, AccessPathFront apf,
-  AccessPath ap, Configuration config
+  DataFlowCall call, Node node, CallContext innercc, DataFlowCallable innerc,
+  AccessPathOption argAp, AccessPathFront apf, AccessPath ap, Configuration config
 ) {
   exists(ReturnNodeExt ret, boolean allowsFieldFlow |
-    flowFwd(ret, fromArg, argAp, apf, ap, config) and
+    flowFwd(ret, innercc, argAp, apf, ap, config) and
     flowOutOfCallNodeCand2(call, ret, node, allowsFieldFlow, config) and
-    flowCand(node, _, _, _, unbind(config))
+    innerc = ret.getEnclosingCallable() and
+    flowCand(node, _, _, _, unbind(config)) and
+    (
+      resolveReturn(innercc, innerc, call)
+      or
+      innercc.(CallContextCall).matchesCall(call)
+    )
   |
     ap instanceof AccessPathNil or allowsFieldFlow = true
   )
@@ -1826,18 +1846,18 @@ private predicate flowFwdOutFromArg(
   DataFlowCall call, Node node, AccessPath argAp, AccessPathFront apf, AccessPath ap,
   Configuration config
 ) {
-  flowFwdOut(call, node, true, TAccessPathSome(argAp), apf, ap, config)
+  flowFwdOut(call, node, any(CallContextCall ccc), _, TAccessPathSome(argAp), apf, ap, config)
 }
 
 /**
  * Holds if an argument to `call` is reached in the flow covered by `flowFwd`.
  */
 pragma[nomagic]
 private predicate flowFwdIsEntered(
-  DataFlowCall call, boolean fromArg, AccessPathOption argAp, AccessPath ap, Configuration config
+  DataFlowCall call, CallContext cc, AccessPathOption argAp, AccessPath ap, Configuration config
 ) {
   exists(ParameterNode p, AccessPathFront apf |
-    flowFwdIn(call, p, fromArg, argAp, apf, ap, config) and
+    flowFwdIn(call, p, cc, _, argAp, apf, ap, config) and
     flowCand(p, true, TAccessPathFrontSome(_), apf, config)
   )
 }
@@ -1920,7 +1940,7 @@ private predicate flow0(
   // flow out of a callable
   flowOut(_, node, _, _, ap, config) and
   toReturn = true and
-  if flowFwd(node, true, TAccessPathSome(_), _, ap, config)
+  if flowFwd(node, any(CallContextCall ccc), TAccessPathSome(_), _, ap, config)
   then returnAp = TAccessPathSome(ap)
   else returnAp = TAccessPathNone()
 }
@@ -2006,9 +2026,10 @@ private predicate flowIsReturned(
   DataFlowCall call, boolean toReturn, AccessPathOption returnAp, AccessPath ap,
   Configuration config
 ) {
-  exists(ReturnNodeExt ret |
+  exists(ReturnNodeExt ret, CallContextCall ccc |
     flowOut(call, ret, toReturn, returnAp, ap, config) and
-    flowFwd(ret, true, TAccessPathSome(_), _, ap, config)
+    flowFwd(ret, ccc, TAccessPathSome(_), _, ap, config) and
+    ccc.matchesCall(call)
   )
 }
 
@@ -2031,7 +2052,7 @@ private newtype TSummaryCtx =
     exists(ReturnNodeExt ret, Configuration config, AccessPath ap0 |
       parameterFlow(p, ap, ret.getEnclosingCallable(), config) and
       flow(ret, true, TAccessPathSome(_), ap0, config) and
-      flowFwd(ret, true, TAccessPathSome(ap), _, ap0, config)
+      flowFwd(ret, any(CallContextCall ccc), TAccessPathSome(ap), _, ap0, config)
     )
   }
 
@@ -2352,7 +2373,7 @@ private predicate pathOutOfCallable0(
 ) {
   pos = getReturnPosition(mid.getNode()) and
   innercc = mid.getCallContext() and
-  not innercc instanceof CallContextCall and
+  innercc instanceof CallContextNoCall and
   ap = mid.getAp() and
   config = mid.getConfiguration()
 }
@@ -2867,7 +2888,7 @@ private module FlowExploration {
   ) {
     pos = getReturnPosition(mid.getNode()) and
     innercc = mid.getCallContext() and
-    not innercc instanceof CallContextCall and
+    innercc instanceof CallContextNoCall and
     ap = mid.getAp() and
     config = mid.getConfiguration()
   }