Merge branch 'main' into jca_signature_extensions

Author: nicolaswill

Cargo.lock

@@ -98,11 +98,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.99",
+    "vendor_ts__anyhow-1.0.100",
     "vendor_ts__argfile-0.2.1",
     "vendor_ts__chalk-ir-0.104.0",
     "vendor_ts__chrono-0.4.42",
-    "vendor_ts__clap-4.5.47",
+    "vendor_ts__clap-4.5.48",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -116,7 +116,7 @@ use_repo(
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.17.0",
     "vendor_ts__proc-macro2-1.0.101",
-    "vendor_ts__quote-1.0.40",
+    "vendor_ts__quote-1.0.41",
     "vendor_ts__ra_ap_base_db-0.0.301",
     "vendor_ts__ra_ap_cfg-0.0.301",
     "vendor_ts__ra_ap_hir-0.0.301",
@@ -135,17 +135,17 @@ use_repo(
     "vendor_ts__ra_ap_vfs-0.0.301",
     "vendor_ts__rand-0.9.2",
     "vendor_ts__rayon-1.11.0",
-    "vendor_ts__regex-1.11.2",
-    "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.143",
-    "vendor_ts__serde_with-3.14.0",
+    "vendor_ts__regex-1.11.3",
+    "vendor_ts__serde-1.0.228",
+    "vendor_ts__serde_json-1.0.145",
+    "vendor_ts__serde_with-3.14.1",
     "vendor_ts__syn-2.0.106",
-    "vendor_ts__toml-0.9.5",
+    "vendor_ts__toml-0.9.7",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.20",
     "vendor_ts__tree-sitter-0.25.9",
-    "vendor_ts__tree-sitter-embedded-template-0.23.2",
+    "vendor_ts__tree-sitter-embedded-template-0.25.0",
     "vendor_ts__tree-sitter-json-0.24.8",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",

MODULE.bazel

@@ -87,6 +87,7 @@ class ElementBase extends @element {
  */
 class Element extends ElementBase {
   /** Gets the primary file where this element occurs. */
+  pragma[nomagic]
   File getFile() { result = this.getLocation().getFile() }
 
   /**

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -0,0 +1,5 @@
+---
+category: breaking
+---
+* The member predicate `writesField` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldPreUpdate` has been added for cases where this behaviour is not desired.
+* The member predicate `writesElement` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate `writesElementPreUpdate` has been added for cases where this behaviour is not desired.

go/ql/lib/change-notes/2025-09-19-api-changes.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The shape of the Go data-flow graph has changed. Previously for code like `x := def(); use1(x); use2(x)`, there would be edges from the definition of `x` to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from `x` in `use2(x)` back to the definition of `x`. If we define our sources as any argument of `use2` and our sinks as any argument of `use1` then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.

go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* For the query `go/unvalidated-url-redirection`, when untrusted data is assigned to the `Host` field of a `url.URL` struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example `&url.URL{Host: untrustedData}`.

go/ql/lib/change-notes/2025-10-02-unvalidated-url-redirection-struct-init-fix.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The member predicate `writesComponent` on `DataFlow::Write` has been deprecated. Instead, use `writesFieldPreUpdate` and `writesElementPreUpdate`, or their new versions `writesField` and `writesElement`.

go/ql/lib/change-notes/2025-10-02-writenode-writescomponent-deprecated.md

@@ -118,6 +118,8 @@ module ControlFlow {
     /** Gets the left-hand side of this write. */
     IR::WriteTarget getLhs() { result = super.getLhs() }
 
+    private predicate isInitialization() { super.isInitialization() }
+
     /** Gets the right-hand side of this write. */
     DataFlow::Node getRhs() { super.getRhs() = result.asInstruction() }
 
@@ -132,49 +134,112 @@ module ControlFlow {
 
     /**
      * Holds if this node sets the value of field `f` on `base` (or its implicit dereference) to
-     * `rhs`.
+     * `rhs`, where `base` represents the post-update value.
+     *
+     * For example, for the assignment `x.width = newWidth`, `base` is the post-update node of
+     * either the data-flow node corresponding to `x` or (if `x` is a pointer) the data-flow node
+     * corresponding to the implicit dereference `*x`, `f` is the field referenced by `width`, and
+     * `rhs` is the data-flow node corresponding to `newWidth`. If this `WriteNode` is a struct
+     * initialization then there is no post-update node and `base` is the struct literal being
+     * initialized.
+     */
+    predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
+      exists(DataFlow::Node b | this.writesFieldPreUpdate(b, f, rhs) |
+        this.isInitialization() and base = b
+        or
+        not this.isInitialization() and
+        b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      )
+    }
+
+    /**
+     * Holds if this node sets the value of field `f` on `base` (or its implicit dereference) to
+     * `rhs`, where `base` represents the pre-update value.
      *
      * For example, for the assignment `x.width = newWidth`, `base` is either the data-flow node
      * corresponding to `x` or (if `x` is a pointer) the data-flow node corresponding to the
-     * implicit dereference `*x`, `f` is the field referenced by `width`, and `rhs` is the data-flow
-     * node corresponding to `newWidth`.
+     * implicit dereference `*x`, `f` is the field referenced by `width`, and `rhs` is the
+     * data-flow node corresponding to `newWidth`.
      */
-    predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
+    predicate writesFieldPreUpdate(DataFlow::Node base, Field f, DataFlow::Node rhs) {
+      this.writesFieldInsn(base.asInstruction(), f, rhs.asInstruction())
+    }
+
+    private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {
       exists(IR::FieldTarget trg | trg = super.getLhs() |
         (
-          trg.getBase() = base.asInstruction() or
-          trg.getBase() = MkImplicitDeref(base.asExpr())
+          trg.getBase() = base or
+          trg.getBase() = MkImplicitDeref(base.(IR::EvalInstruction).getExpr())
         ) and
         trg.getField() = f and
-        super.getRhs() = rhs.asInstruction()
+        super.getRhs() = rhs
       )
     }
 
     /**
      * Holds if this node sets the value of element `index` on `base` (or its implicit dereference)
      * to `rhs`.
      *
-     * For example, for the assignment `xs[i] = v`, `base` is either the data-flow node
-     * corresponding to `xs` or (if `xs` is a pointer) the data-flow node corresponding to the
-     * implicit dereference `*xs`, `index` is the data-flow node corresponding to `i`, and `rhs`
-     * is the data-flow node corresponding to `base`.
+     * For example, for the assignment `xs[i] = v`, `base` is the post-update node of the data-flow
+     * node corresponding to `xs` or (if `xs` is a pointer) the implicit dereference `*xs`, `index`
+     * is the data-flow node corresponding to `i`, and `rhs` is the data-flow node corresponding to
+     * `base`. If this `WriteNode` corresponds to the initialization of an array/slice/map then
+     * there is no need for a post-update node and `base` is the array/slice/map literal being
+     * initialized.
      */
     predicate writesElement(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
+      exists(DataFlow::Node b | this.writesElementPreUpdate(b, index, rhs) |
+        this.isInitialization() and base = b
+        or
+        not this.isInitialization() and
+        b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      )
+    }
+
+    /**
+     * Holds if this node sets the value of element `index` on `base` (or its implicit dereference)
+     * to `rhs`.
+     *
+     * For example, for the assignment `xs[i] = v`, `base` is the post-update node of the data-flow
+     * node corresponding to `xs` or (if `xs` is a pointer) the implicit dereference `*xs`, `index`
+     * is the data-flow node corresponding to `i`, and `rhs` is the data-flow node corresponding to
+     * `base`. If this `WriteNode` corresponds to the initialization of an array/slice/map then
+     * there is no need for a post-update node and `base` is the array/slice/map literal being
+     * initialized.
+     */
+    predicate writesElementPreUpdate(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
+      this.writesElementInsn(base.asInstruction(), index.asInstruction(), rhs.asInstruction())
+    }
+
+    private predicate writesElementInsn(
+      IR::Instruction base, IR::Instruction index, IR::Instruction rhs
+    ) {
       exists(IR::ElementTarget trg | trg = super.getLhs() |
         (
-          trg.getBase() = base.asInstruction() or
-          trg.getBase() = MkImplicitDeref(base.asExpr())
+          trg.getBase() = base or
+          trg.getBase() = MkImplicitDeref(base.(IR::EvalInstruction).getExpr())
         ) and
-        trg.getIndex() = index.asInstruction() and
-        super.getRhs() = rhs.asInstruction()
+        trg.getIndex() = index and
+        super.getRhs() = rhs
       )
     }
 
+    /**
+     * DEPRECATED: Use the disjunct of `writesElement` and `writesField`, or `writesFieldPreUpdate`
+     * and `writesElementPreUpdate`, instead.
+     *
+     * Holds if this node sets any field or element of `base` (or its implicit dereference) to
+     * `rhs`, where `base` represents the pre-update value.
+     */
+    deprecated predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
+      this.writesElementPreUpdate(base, _, rhs) or this.writesFieldPreUpdate(base, _, rhs)
+    }
+
     /**
      * Holds if this node sets any field or element of `base` to `rhs`.
      */
-    predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
-      this.writesElement(base, _, rhs) or this.writesField(base, _, rhs)
+    predicate writesComponentInstruction(IR::Instruction base, IR::Instruction rhs) {
+      this.writesElementInsn(base, _, rhs) or this.writesFieldInsn(base, _, rhs)
     }
   }
 

go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll

@@ -430,18 +430,25 @@ module IR {
    */
   class WriteInstruction extends Instruction {
     WriteTarget lhs;
+    Boolean initialization;
 
     WriteInstruction() {
-      lhs = MkLhs(this, _)
-      or
-      lhs = MkLiteralElementTarget(this)
+      (
+        lhs = MkLhs(this, _)
+        or
+        lhs = MkResultWriteTarget(this)
+      ) and
+      initialization = false
       or
-      lhs = MkResultWriteTarget(this)
+      lhs = MkLiteralElementTarget(this) and initialization = true
     }
 
     /** Gets the target to which this instruction writes. */
     WriteTarget getLhs() { result = lhs }
 
+    /** Holds if this instruction initializes a literal. */
+    predicate isInitialization() { initialization = true }
+
     /** Gets the instruction computing the value this instruction writes. */
     Instruction getRhs() { none() }
 

go/ql/lib/semmle/go/controlflow/IR.qll

@@ -166,6 +166,13 @@ class SsaDefinition extends TSsaDefinition {
   ) {
     this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
+
+  /**
+   * Gets the first instruction that the value of this `SsaDefinition` can
+   * reach without passing through any other instructions, but possibly through
+   * phi nodes.
+   */
+  IR::Instruction getAFirstUse() { firstUse(this, result) }
 }
 
 /**
@@ -410,3 +417,12 @@ DataFlow::Node getASimilarReadNode(DataFlow::Node node) {
     result = readFields.similar().getAUse()
   )
 }
+
+/**
+ * Gets an instruction such that  `pred` and `result` form an adjacent
+ * use-use-pair of the same`SsaSourceVariable`, that is, the value read in
+ * `pred` can reach `result` without passing through any other use or any SSA
+ * definition of the variable except for phi nodes and uncertain implicit
+ * updates.
+ */
+IR::Instruction getAnAdjacentUse(IR::Instruction pred) { adjacentUseUse(pred, result) }