[pull] main from github:main

cpp/ql/lib/change-notes/2025-07-16-FunctionWithWrappers.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.

cpp/ql/lib/semmle/code/cpp/security/FunctionWithWrappers.qll

@@ -17,7 +17,6 @@
 
 import cpp
 import PrintfLike
-private import semmle.code.cpp.ir.dataflow.ResolveCall
 
 bindingset[index]
 private string toCause(Function func, int index) {
@@ -37,9 +36,9 @@ private predicate wrapperFunctionStep(
   not target.isVirtual() and
   not source.isVirtual() and
   source.hasDefinition() and
-  exists(Call call, Expr arg, Parameter sourceParam |
+  exists(FunctionCall call, Expr arg, Parameter sourceParam |
     // there is a 'call' to 'target' with argument 'arg' at index 'targetParamIndex'
-    target = resolveCall(call) and
+    target = call.getTarget() and
     arg = call.getArgument(targetParamIndex) and
     // 'call' is enclosed in 'source'
     source = call.getEnclosingFunction() and
@@ -154,8 +153,8 @@ abstract class FunctionWithWrappers extends Function {
    * Whether 'arg' is an argument in a call to an outermost wrapper function of 'this' function.
    */
   predicate outermostWrapperFunctionCall(Expr arg, string callChain) {
-    exists(Function targetFunc, Call call, int argIndex |
-      targetFunc = resolveCall(call) and
+    exists(Function targetFunc, FunctionCall call, int argIndex |
+      targetFunc = call.getTarget() and
       this.wrapperFunction(targetFunc, argIndex, callChain) and
       (
         exists(Function sourceFunc | sourceFunc = call.getEnclosingFunction() |

cpp/ql/src/change-notes/2025-07-16-FunctionWithWrappers.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Due to changes in the `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) the primary alert location generated by the queries `cpp/path-injection`, `cpp/sql-injection`, `cpp/tainted-format-string`, and `cpp/command-line-injection` may have changed.

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -24436,6 +24436,107 @@ ir.cpp:
 # 2742|                 Type = [IntType] int
 # 2742|                 ValueCategory = prvalue
 # 2743|     getStmt(14): [ReturnStmt] return ...
+# 2747| [CopyAssignmentOperator] std::strong_ordering& std::strong_ordering::operator=(std::strong_ordering const&)
+# 2747|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const strong_ordering &
+# 2747| [MoveAssignmentOperator] std::strong_ordering& std::strong_ordering::operator=(std::strong_ordering&&)
+# 2747|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] strong_ordering &&
+# 2747| [CopyConstructor] void std::strong_ordering::strong_ordering(std::strong_ordering const&)
+# 2747|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const strong_ordering &
+# 2747| [MoveConstructor] void std::strong_ordering::strong_ordering(std::strong_ordering&&)
+# 2747|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] strong_ordering &&
+# 2747|   <initializations>: 
+# 2747|   getEntryPoint(): [BlockStmt] { ... }
+# 2747|     getStmt(0): [ReturnStmt] return ...
+# 2748| [Constructor] void std::strong_ordering::strong_ordering(std::_Order)
+# 2748|   <params>: 
+# 2748|     getParameter(0): [Parameter] v
+# 2748|         Type = [ScopedEnum] _Order
+# 2748|   <initializations>: 
+# 2748|   getEntryPoint(): [BlockStmt] { ... }
+# 2748|     getStmt(0): [ReturnStmt] return ...
+# 2763| [CopyAssignmentOperator] ThreeWay& ThreeWay::operator=(ThreeWay const&)
+# 2763|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const ThreeWay &
+# 2763| [MoveAssignmentOperator] ThreeWay& ThreeWay::operator=(ThreeWay&&)
+# 2763|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] ThreeWay &&
+# 2763| [Constructor] void ThreeWay::ThreeWay()
+# 2763|   <params>: 
+# 2766| [MemberFunction] std::strong_ordering ThreeWay::operator<=>(ThreeWay&)
+# 2766|   <params>: 
+# 2766|     getParameter(0): [Parameter] y
+# 2766|         Type = [LValueReferenceType] ThreeWay &
+# 2766|   getEntryPoint(): [BlockStmt] { ... }
+# 2766|     getStmt(0): [ReturnStmt] return ...
+# 2766|       getExpr(): [SpaceshipExpr] ... <=> ...
+# 2766|           Type = [Class] strong_ordering
+# 2766|           ValueCategory = prvalue
+# 2766|         getChild(0): [PointerFieldAccess] x
+# 2766|             Type = [IntType] int
+# 2766|             ValueCategory = prvalue(load)
+# 2766|           getQualifier(): [ThisExpr] this
+# 2766|               Type = [PointerType] ThreeWay *
+# 2766|               ValueCategory = prvalue(load)
+# 2766|         getChild(1): [ReferenceFieldAccess] x
+# 2766|             Type = [IntType] int
+# 2766|             ValueCategory = prvalue(load)
+# 2766|           getQualifier(): [VariableAccess] y
+# 2766|               Type = [LValueReferenceType] ThreeWay &
+# 2766|               ValueCategory = prvalue(load)
+# 2766|           getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
+# 2766|               Type = [Class] ThreeWay
+# 2766|               ValueCategory = lvalue
+# 2769| [TopLevelFunction] void test_three_way(int, int, ThreeWay, ThreeWay)
+# 2769|   <params>: 
+# 2769|     getParameter(0): [Parameter] a
+# 2769|         Type = [IntType] int
+# 2769|     getParameter(1): [Parameter] b
+# 2769|         Type = [IntType] int
+# 2769|     getParameter(2): [Parameter] c
+# 2769|         Type = [Class] ThreeWay
+# 2769|     getParameter(3): [Parameter] d
+# 2769|         Type = [Class] ThreeWay
+# 2769|   getEntryPoint(): [BlockStmt] { ... }
+# 2770|     getStmt(0): [DeclStmt] declaration
+# 2770|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 2770|           Type = [Class] strong_ordering
+# 2770|         getVariable().getInitializer(): [Initializer] initializer for x
+# 2770|           getExpr(): [SpaceshipExpr] ... <=> ...
+# 2770|               Type = [Class] strong_ordering
+# 2770|               ValueCategory = prvalue
+# 2770|             getChild(0): [VariableAccess] a
+# 2770|                 Type = [IntType] int
+# 2770|                 ValueCategory = prvalue(load)
+# 2770|             getChild(1): [VariableAccess] b
+# 2770|                 Type = [IntType] int
+# 2770|                 ValueCategory = prvalue(load)
+# 2771|     getStmt(1): [DeclStmt] declaration
+# 2771|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of y
+# 2771|           Type = [Class] strong_ordering
+# 2771|         getVariable().getInitializer(): [Initializer] initializer for y
+# 2771|           getExpr(): [FunctionCall] call to operator<=>
+# 2771|               Type = [Class] strong_ordering
+# 2771|               ValueCategory = prvalue
+# 2771|             getQualifier(): [VariableAccess] c
+# 2771|                 Type = [Class] ThreeWay
+# 2771|                 ValueCategory = lvalue
+# 2771|             getArgument(0): [VariableAccess] d
+# 2771|                 Type = [Class] ThreeWay
+# 2771|                 ValueCategory = lvalue
+# 2771|             getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+# 2771|                 Type = [LValueReferenceType] ThreeWay &
+# 2771|                 ValueCategory = prvalue
+# 2772|     getStmt(2): [ReturnStmt] return ...
 ir23.cpp:
 #    1| [TopLevelFunction] bool consteval_1()
 #    1|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -20273,6 +20273,90 @@ ir.cpp:
 # 2728|     v2728_14(void)        = AliasedUse               : ~m2728_9
 # 2728|     v2728_15(void)        = ExitFunction             : 
 
+# 2747| void std::strong_ordering::strong_ordering(std::strong_ordering&&)
+# 2747|   Block 0
+# 2747|     v2747_1(void)                   = EnterFunction                                : 
+# 2747|     m2747_2(unknown)                = AliasedDefinition                            : 
+# 2747|     m2747_3(unknown)                = InitializeNonLocal                           : 
+# 2747|     m2747_4(unknown)                = Chi                                          : total:m2747_2, partial:m2747_3
+# 2747|     r2747_5(glval<unknown>)         = VariableAddress[#this]                       : 
+# 2747|     m2747_6(glval<strong_ordering>) = InitializeParameter[#this]                   : &:r2747_5
+# 2747|     r2747_7(glval<strong_ordering>) = Load[#this]                                  : &:r2747_5, m2747_6
+# 2747|     m2747_8(strong_ordering)        = InitializeIndirection[#this]                 : &:r2747_7
+#-----|     r0_1(glval<strong_ordering &&>) = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     m0_2(strong_ordering &&)        = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(strong_ordering &&)        = Load[(unnamed parameter 0)]                  : &:r0_1, m0_2
+#-----|     m0_4(unknown)                   = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 2747|     v2747_9(void)                   = NoOp                                         : 
+# 2747|     v2747_10(void)                  = ReturnIndirection[#this]                     : &:r2747_7, m2747_8
+#-----|     v0_5(void)                      = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, m0_4
+# 2747|     v2747_11(void)                  = ReturnVoid                                   : 
+# 2747|     v2747_12(void)                  = AliasedUse                                   : m2747_3
+# 2747|     v2747_13(void)                  = ExitFunction                                 : 
+
+# 2748| void std::strong_ordering::strong_ordering(std::_Order)
+# 2748|   Block 0
+# 2748|     v2748_1(void)                   = EnterFunction                : 
+# 2748|     m2748_2(unknown)                = AliasedDefinition            : 
+# 2748|     m2748_3(unknown)                = InitializeNonLocal           : 
+# 2748|     m2748_4(unknown)                = Chi                          : total:m2748_2, partial:m2748_3
+# 2748|     r2748_5(glval<unknown>)         = VariableAddress[#this]       : 
+# 2748|     m2748_6(glval<strong_ordering>) = InitializeParameter[#this]   : &:r2748_5
+# 2748|     r2748_7(glval<strong_ordering>) = Load[#this]                  : &:r2748_5, m2748_6
+# 2748|     m2748_8(strong_ordering)        = InitializeIndirection[#this] : &:r2748_7
+# 2748|     r2748_9(glval<_Order>)          = VariableAddress[v]           : 
+# 2748|     m2748_10(_Order)                = InitializeParameter[v]       : &:r2748_9
+# 2748|     v2748_11(void)                  = NoOp                         : 
+# 2748|     v2748_12(void)                  = ReturnIndirection[#this]     : &:r2748_7, m2748_8
+# 2748|     v2748_13(void)                  = ReturnVoid                   : 
+# 2748|     v2748_14(void)                  = AliasedUse                   : m2748_3
+# 2748|     v2748_15(void)                  = ExitFunction                 : 
+
+# 2766| std::strong_ordering ThreeWay::operator<=>(ThreeWay&)
+# 2766|   Block 0
+# 2766|     v2766_1(void)                    = EnterFunction                : 
+# 2766|     m2766_2(unknown)                 = AliasedDefinition            : 
+# 2766|     m2766_3(unknown)                 = InitializeNonLocal           : 
+# 2766|     m2766_4(unknown)                 = Chi                          : total:m2766_2, partial:m2766_3
+# 2766|     r2766_5(glval<unknown>)          = VariableAddress[#this]       : 
+# 2766|     m2766_6(glval<ThreeWay>)         = InitializeParameter[#this]   : &:r2766_5
+# 2766|     r2766_7(glval<ThreeWay>)         = Load[#this]                  : &:r2766_5, m2766_6
+# 2766|     m2766_8(ThreeWay)                = InitializeIndirection[#this] : &:r2766_7
+# 2766|     r2766_9(glval<ThreeWay &>)       = VariableAddress[y]           : 
+# 2766|     m2766_10(ThreeWay &)             = InitializeParameter[y]       : &:r2766_9
+# 2766|     r2766_11(ThreeWay &)             = Load[y]                      : &:r2766_9, m2766_10
+# 2766|     m2766_12(unknown)                = InitializeIndirection[y]     : &:r2766_11
+# 2766|     r2766_13(glval<strong_ordering>) = VariableAddress[#return]     : 
+# 2766|     r2766_14(glval<unknown>)         = VariableAddress[#this]       : 
+# 2766|     r2766_15(ThreeWay *)             = Load[#this]                  : &:r2766_14, m2766_6
+# 2766|     r2766_16(glval<int>)             = FieldAddress[x]              : r2766_15
+# 2766|     r2766_17(int)                    = Load[?]                      : &:r2766_16, ~m2766_8
+# 2766|     r2766_18(glval<ThreeWay &>)      = VariableAddress[y]           : 
+# 2766|     r2766_19(ThreeWay &)             = Load[y]                      : &:r2766_18, m2766_10
+# 2766|     r2766_20(glval<ThreeWay>)        = CopyValue                    : r2766_19
+# 2766|     r2766_21(glval<int>)             = FieldAddress[x]              : r2766_20
+# 2766|     r2766_22(int)                    = Load[?]                      : &:r2766_21, ~m2766_12
+
+# 2769| void test_three_way(int, int, ThreeWay, ThreeWay)
+# 2769|   Block 0
+# 2769|     v2769_1(void)                   = EnterFunction          : 
+# 2769|     m2769_2(unknown)                = AliasedDefinition      : 
+# 2769|     m2769_3(unknown)                = InitializeNonLocal     : 
+# 2769|     m2769_4(unknown)                = Chi                    : total:m2769_2, partial:m2769_3
+# 2769|     r2769_5(glval<int>)             = VariableAddress[a]     : 
+# 2769|     m2769_6(int)                    = InitializeParameter[a] : &:r2769_5
+# 2769|     r2769_7(glval<int>)             = VariableAddress[b]     : 
+# 2769|     m2769_8(int)                    = InitializeParameter[b] : &:r2769_7
+# 2769|     r2769_9(glval<ThreeWay>)        = VariableAddress[c]     : 
+# 2769|     m2769_10(ThreeWay)              = InitializeParameter[c] : &:r2769_9
+# 2769|     r2769_11(glval<ThreeWay>)       = VariableAddress[d]     : 
+# 2769|     m2769_12(ThreeWay)              = InitializeParameter[d] : &:r2769_11
+# 2770|     r2770_1(glval<strong_ordering>) = VariableAddress[x]     : 
+# 2770|     r2770_2(glval<int>)             = VariableAddress[a]     : 
+# 2770|     r2770_3(int)                    = Load[a]                : &:r2770_2, m2769_6
+# 2770|     r2770_4(glval<int>)             = VariableAddress[b]     : 
+# 2770|     r2770_5(int)                    = Load[b]                : &:r2770_4, m2769_8
+
 ir23.cpp:
 #    1| bool consteval_1()
 #    1|   Block 0

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:2766:72:2766:72 | Load: x | Instruction 'Load: x' has no successors in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2770:18:2770:18 | Load: b | Instruction 'Load: b' has no successors in function '$@'. | ir.cpp:2769:6:2769:19 | void test_three_way(int, int, ThreeWay, ThreeWay) | void test_three_way(int, int, ThreeWay, ThreeWay) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -6,6 +6,8 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:2766:72:2766:72 | Load: x | Instruction 'Load: x' has no successors in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2770:18:2770:18 | Load: b | Instruction 'Load: b' has no successors in function '$@'. | ir.cpp:2769:6:2769:19 | void test_three_way(int, int, ThreeWay, ThreeWay) | void test_three_way(int, int, ThreeWay, ThreeWay) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -2742,4 +2742,33 @@ void test_postfix_crement(int *p, int q) {
   int q2 = (int)(q++);
 }
 
+namespace std {
+  enum class _Order : signed char { __less = -1, __equiv = 0, __greater = 1 };
+  class strong_ordering {
+    explicit constexpr strong_ordering(_Order v)  {}
+
+  public:
+    static const strong_ordering less;
+    static const strong_ordering equal;
+    static const strong_ordering equivalent;
+    static const strong_ordering greater;
+  };
+
+  inline constexpr strong_ordering strong_ordering::less(_Order::__less);
+  inline constexpr strong_ordering strong_ordering::equal(_Order::__equiv);
+  inline constexpr strong_ordering strong_ordering::equivalent(_Order::__equiv);
+  inline constexpr strong_ordering strong_ordering::greater(_Order::__greater);
+}
+
+class ThreeWay {
+  int x;
+public:
+  std::strong_ordering operator<=>(ThreeWay &y) { return this->x <=> y.x; }
+};
+
+void test_three_way(int a, int b, ThreeWay c, ThreeWay d) {
+  auto x = a <=> b;
+  auto y = c <=> d;
+}
+
 // semmle-extractor-options: -std=c++20 --clang

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -1,11 +1,15 @@
 missingOperand
+| ir.cpp:2766:58:2766:72 | Store: ... <=> ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2770:12:2770:18 | Store: ... <=> ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:2769:6:2769:19 | void test_three_way(int, int, ThreeWay, ThreeWay) | void test_three_way(int, int, ThreeWay, ThreeWay) |
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ir.cpp:2766:72:2766:72 | Load: x | Instruction 'Load: x' has no successors in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2770:18:2770:18 | Load: b | Instruction 'Load: b' has no successors in function '$@'. | ir.cpp:2769:6:2769:19 | void test_three_way(int, int, ThreeWay, ThreeWay) | void test_three_way(int, int, ThreeWay, ThreeWay) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -21,6 +25,10 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1535:8:1535:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1535:8:1535:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:2766:24:2766:34 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2766:46:2766:46 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2766:51:2766:73 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:2766:24:2766:34 | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) | std::strong_ordering ThreeWay::operator<=>(ThreeWay&) |
+| ir.cpp:2770:8:2770:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:2769:6:2769:19 | void test_three_way(int, int, ThreeWay, ThreeWay) | void test_three_way(int, int, ThreeWay, ThreeWay) |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated