Merge branch 'main' into unsafe-use-of-this-query

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/Element.qll

@@ -65,11 +65,10 @@ class ElementBase extends @element {
    * which they belong; for example, `AddExpr` is a primary class, but
    * `BinaryOperation` is not.
    *
-   * This predicate always has a result. If no primary class can be
-   * determined, the result is `"???"`. If multiple primary classes match,
-   * this predicate can have multiple results.
+   * This predicate can have multiple results if multiple primary classes match.
+   * For some elements, this predicate may not have a result.
    */
-  string getAPrimaryQlClass() { result = "???" }
+  string getAPrimaryQlClass() { none() }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/PrintAST.qll

@@ -91,7 +91,8 @@ private newtype TPrintASTNode =
   TDeclarationEntryNode(DeclStmt stmt, DeclarationEntry entry) {
     // We create a unique node for each pair of (stmt, entry), to avoid having one node with
     // multiple parents due to extractor bug CPP-413.
-    stmt.getADeclarationEntry() = entry
+    stmt.getADeclarationEntry() = entry and
+    shouldPrintFunction(stmt.getEnclosingFunction())
   } or
   TParametersNode(Function func) { shouldPrintFunction(func) } or
   TConstructorInitializersNode(Constructor ctor) {
@@ -234,11 +235,27 @@ class PrintASTNode extends TPrintASTNode {
   private Function getEnclosingFunction() { result = getParent*().(FunctionNode).getFunction() }
 }
 
+/**
+ * Class that restricts the elements that we compute `qlClass` for.
+ */
+private class PrintableElement extends Element {
+  PrintableElement() {
+    exists(TASTNode(this))
+    or
+    exists(TDeclarationEntryNode(_, this))
+    or
+    this instanceof Type
+  }
+
+  pragma[noinline]
+  string getAPrimaryQlClass0() { result = getAPrimaryQlClass() }
+}
+
 /**
  * Retrieves the canonical QL class(es) for entity `el`
  */
-private string qlClass(ElementBase el) {
-  result = "[" + concat(el.getAPrimaryQlClass(), ",") + "] "
+private string qlClass(PrintableElement el) {
+  result = "[" + concat(el.getAPrimaryQlClass0(), ",") + "] "
   // Alternative implementation -- do not delete. It is useful for QL class discovery.
   //result = "["+ concat(el.getAQlClass(), ",") + "] "
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -566,6 +566,9 @@ private Overlap getVariableMemoryLocationOverlap(
       use.getEndBitOffset())
 }
 
+bindingset[result, b]
+private boolean unbindBool(boolean b) { result != b.booleanNot() }
+
 MemoryLocation getResultMemoryLocation(Instruction instr) {
   exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = instr.getResultMemoryAccess() and
@@ -578,15 +581,16 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
           exists(Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset |
             hasResultMemoryAccess(instr, var, type, _, startBitOffset, endBitOffset, isMayAccess) and
             result =
-              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset, isMayAccess)
+              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset,
+                unbindBool(isMayAccess))
           )
         else result = TUnknownMemoryLocation(instr.getEnclosingIRFunction(), isMayAccess)
       )
       or
       kind instanceof EntireAllocationMemoryAccess and
       result =
         TEntireAllocationMemoryLocation(getAddressOperandAllocation(instr.getResultAddressOperand()),
-          isMayAccess)
+          unbindBool(isMayAccess))
       or
       kind instanceof EscapedMemoryAccess and
       result = TAllAliasedMemory(instr.getEnclosingIRFunction(), isMayAccess, false)

csharp/ql/src/semmle/code/cil/DataFlow.qll

@@ -165,14 +165,16 @@ module DefUse {
     (
       exists(int last | last = max(refRank(bb, _, v, _)) | defReachesRank(bb, vu, last, v))
       or
-      exists(BasicBlock pred |
-        pred = bb.getAPredecessor() and
-        defReachesEndOfBlock(pred, vu, v) and
-        not exists(refRank(bb, _, v, Write()))
-      )
+      defReachesStartOfBlock(bb, vu, v) and
+      not exists(refRank(bb, _, v, Write()))
     )
   }
 
+  pragma[noinline]
+  private predicate defReachesStartOfBlock(BasicBlock bb, VariableUpdate vu, StackVariable v) {
+    defReachesEndOfBlock(bb.getAPredecessor(), vu, v)
+  }
+
   /**
    * Holds if the variable update `vu` of stack variable `v` reaches `read` in the
    * same basic block without crossing another update of `v`.

csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll

@@ -1130,7 +1130,7 @@ module Ssa {
         exists(Expr mid | reachesDelegateCall(mid) | delegateFlowStep(e, mid))
       }
 
-      pragma[noinline]
+      pragma[nomagic]
       private predicate delegateFlowStepReaches(Expr pred, Expr succ) {
         delegateFlowStep(pred, succ) and
         reachesDelegateCall(succ)