From 6042adebae6089df3a0d2f5b0f8599e6b485564b Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Wed, 27 May 2026 17:23:28 +0200 Subject: [PATCH 01/10] move identical java and cs bound.qll to shared library --- .../lib/semmle/code/java/dataflow/Bound.qll | 67 ++---------- .../internal/rangeanalysis/BoundSpecific.qll | 29 ++--- .../codeql/rangeanalysis/Bound.qll | 100 ++++++++++++++++++ 3 files changed, 125 insertions(+), 71 deletions(-) create mode 100644 shared/rangeanalysis/codeql/rangeanalysis/Bound.qll diff --git a/java/ql/lib/semmle/code/java/dataflow/Bound.qll b/java/ql/lib/semmle/code/java/dataflow/Bound.qll index 65af6fb13a81..a15880208387 100644 --- a/java/ql/lib/semmle/code/java/dataflow/Bound.qll +++ b/java/ql/lib/semmle/code/java/dataflow/Bound.qll @@ -4,67 +4,16 @@ overlay[local?] module; -private import internal.rangeanalysis.BoundSpecific +private import java as J +private import internal.rangeanalysis.BoundSpecific as BoundSpecific +private import codeql.rangeanalysis.Bound as SharedBound -private newtype TBound = - TBoundZero() or - TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or - TBoundExpr(Expr e) { - interestingExprBound(e) and - not exists(SsaVariable v | e = v.getAUse()) - } +module BoundInstantiation = SharedBound::Bound; -/** - * A bound that may be inferred for an expression plus/minus an integer delta. - */ -abstract class Bound extends TBound { - /** Gets a textual representation of this bound. */ - abstract string toString(); - - /** Gets an expression that equals this bound plus `delta`. */ - abstract Expr getExpr(int delta); - - /** Gets an expression that equals this bound. */ - Expr getExpr() { result = this.getExpr(0) } - - /** Gets the location of this bound. */ - abstract Location getLocation(); -} - -/** - * The bound that corresponds to the integer 0. This is used to represent all - * integer bounds as bounds are always accompanied by an added integer delta. - */ -class ZeroBound extends Bound, TBoundZero { - override string toString() { result = "0" } - - override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta } +class Bound = BoundInstantiation::Bound; - override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) } -} - -/** - * A bound corresponding to the value of an SSA variable. - */ -class SsaBound extends Bound, TBoundSsa { - /** Gets the SSA variable that equals this bound. */ - SsaVariable getSsa() { this = TBoundSsa(result) } - - override string toString() { result = this.getSsa().toString() } - - override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 } - - override Location getLocation() { result = this.getSsa().getLocation() } -} - -/** - * A bound that corresponds to the value of a specific expression that might be - * interesting, but isn't otherwise represented by the value of an SSA variable. - */ -class ExprBound extends Bound, TBoundExpr { - override string toString() { result = this.getExpr().toString() } +class ZeroBound = BoundInstantiation::ZeroBound; - override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 } +class SsaBound = BoundInstantiation::SsaBound; - override Location getLocation() { result = this.getExpr().getLocation() } -} +class ExprBound = BoundInstantiation::ExprBound; \ No newline at end of file diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll index cd85883f7bc4..ba2f8027b30f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll @@ -7,21 +7,26 @@ module; private import java as J private import semmle.code.java.dataflow.SSA as Ssa private import semmle.code.java.dataflow.RangeUtils as RU +private import codeql.rangeanalysis.Bound as SharedBound -class SsaVariable extends Ssa::SsaDefinition { - /** Gets a use of this variable. */ - Expr getAUse() { result = super.getARead() } -} +module BoundDefs implements SharedBound::BoundDefinitions { + class SsaVariable extends Ssa::SsaDefinition { + /** Gets a use of this variable. */ + Expr getAUse() { result = super.getARead() } + } -class Expr = J::Expr; + class SsaSourceVariable = Ssa::SourceVariable; -class Location = J::Location; + class Type = J::Type; -class IntegralType = J::IntegralType; + class Expr = J::Expr; -class ConstantIntegerExpr = RU::ConstantIntegerExpr; + class IntegralType = J::IntegralType; -/** Holds if `e` is a bound expression and it is not an SSA variable read. */ -predicate interestingExprBound(Expr e) { - e.(J::FieldRead).getField() instanceof J::ArrayLengthField -} + class ConstantIntegerExpr = RU::ConstantIntegerExpr; + + /** Holds if `e` is a bound expression and it is not an SSA variable read. */ + predicate interestingExprBound(Expr e) { + e.(J::FieldRead).getField() instanceof J::ArrayLengthField + } +} \ No newline at end of file diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll new file mode 100644 index 000000000000..10ef74d40010 --- /dev/null +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -0,0 +1,100 @@ +/** + * Provides classes for representing abstract bounds for use in, for example, range analysis. + */ + +private import codeql.util.Location + +signature module BoundDefinitions { + class Type; + class IntegralType extends Type; + + class ConstantIntegerExpr extends Expr { + int getIntValue(); + } + + class SsaSourceVariable { + Type getType(); + } + + class SsaVariable { + SsaSourceVariable getSourceVariable(); + string toString(); + Location getLocation(); + Expr getAUse(); + } + + class Expr { + string toString(); + Location getLocation(); + } + + predicate interestingExprBound(Expr e); +} + +overlay[local?] +module Bound Defs> { + private import Defs + + private newtype TBound = + TBoundZero() or + TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or + TBoundExpr(Expr e) { + interestingExprBound(e) and + not exists(SsaVariable v | e = v.getAUse()) + } + + /** + * A bound that may be inferred for an expression plus/minus an integer delta. + */ + abstract class Bound extends TBound { + /** Gets a textual representation of this bound. */ + abstract string toString(); + + /** Gets an expression that equals this bound plus `delta`. */ + abstract Expr getExpr(int delta); + + /** Gets an expression that equals this bound. */ + Expr getExpr() { result = this.getExpr(0) } + + /** Gets the location of this bound. */ + abstract Location getLocation(); + } + + /** + * The bound that corresponds to the integer 0. This is used to represent all + * integer bounds as bounds are always accompanied by an added integer delta. + */ + class ZeroBound extends Bound, TBoundZero { + override string toString() { result = "0" } + + override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta } + + override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) } + } + + /** + * A bound corresponding to the value of an SSA variable. + */ + class SsaBound extends Bound, TBoundSsa { + /** Gets the SSA variable that equals this bound. */ + SsaVariable getSsa() { this = TBoundSsa(result) } + + override string toString() { result = this.getSsa().toString() } + + override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 } + + override Location getLocation() { result = this.getSsa().getLocation() } + } + + /** + * A bound that corresponds to the value of a specific expression that might be + * interesting, but isn't otherwise represented by the value of an SSA variable. + */ + class ExprBound extends Bound, TBoundExpr { + override string toString() { result = this.getExpr().toString() } + + override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 } + + override Location getLocation() { result = this.getExpr().getLocation() } + } +} From acb5c0e70f56d981cec2f2e408b7a15247e4d818 Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Wed, 27 May 2026 17:23:45 +0200 Subject: [PATCH 02/10] missed changes --- csharp/ql/lib/qlpack.yml | 1 + .../lib/semmle/code/csharp/dataflow/Bound.qll | 52 +++---------------- .../internal/rangeanalysis/BoundSpecific.qll | 24 ++++++--- .../lib/semmle/code/java/dataflow/Bound.qll | 24 +++++++-- 4 files changed, 45 insertions(+), 56 deletions(-) diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index b3a0dab73036..8501130e2e7b 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -9,6 +9,7 @@ dependencies: codeql/controlflow: ${workspace} codeql/dataflow: ${workspace} codeql/mad: ${workspace} + codeql/rangeanalysis: ${workspace} codeql/ssa: ${workspace} codeql/threat-models: ${workspace} codeql/tutorial: ${workspace} diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll index 65af6fb13a81..b37222c1daa8 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll @@ -4,67 +4,31 @@ overlay[local?] module; +private import csharp as CS private import internal.rangeanalysis.BoundSpecific +private import internal.rangeanalysis.BoundSpecific as BoundSpecific +private import codeql.rangeanalysis.Bound as SharedBound -private newtype TBound = - TBoundZero() or - TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or - TBoundExpr(Expr e) { - interestingExprBound(e) and - not exists(SsaVariable v | e = v.getAUse()) - } +private module BoundImpl = SharedBound::Bound; /** * A bound that may be inferred for an expression plus/minus an integer delta. */ -abstract class Bound extends TBound { - /** Gets a textual representation of this bound. */ - abstract string toString(); - - /** Gets an expression that equals this bound plus `delta`. */ - abstract Expr getExpr(int delta); - - /** Gets an expression that equals this bound. */ - Expr getExpr() { result = this.getExpr(0) } - - /** Gets the location of this bound. */ - abstract Location getLocation(); -} +class Bound = BoundImpl::Bound; /** * The bound that corresponds to the integer 0. This is used to represent all * integer bounds as bounds are always accompanied by an added integer delta. */ -class ZeroBound extends Bound, TBoundZero { - override string toString() { result = "0" } - - override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta } - - override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) } -} +class ZeroBound = BoundImpl::ZeroBound; /** * A bound corresponding to the value of an SSA variable. */ -class SsaBound extends Bound, TBoundSsa { - /** Gets the SSA variable that equals this bound. */ - SsaVariable getSsa() { this = TBoundSsa(result) } - - override string toString() { result = this.getSsa().toString() } - - override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 } - - override Location getLocation() { result = this.getSsa().getLocation() } -} +class SsaBound = BoundImpl::SsaBound; /** * A bound that corresponds to the value of a specific expression that might be * interesting, but isn't otherwise represented by the value of an SSA variable. */ -class ExprBound extends Bound, TBoundExpr { - override string toString() { result = this.getExpr().toString() } - - override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 } - - override Location getLocation() { result = this.getExpr().getLocation() } -} +class ExprBound = BoundImpl::ExprBound; \ No newline at end of file diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll index 037422684306..069f0034eed0 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll @@ -7,16 +7,26 @@ private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU +private import codeql.rangeanalysis.Bound as SharedBound -class SsaVariable = SU::SsaVariable; +/** Holds if `e` is a bound expression and it is not an SSA variable read. */ -class Expr = CS::ControlFlowNodes::ExprNode; -class Location = CS::Location; +module BoundDefs implements SharedBound::BoundDefinitions { + class Type = CS::Type; -class IntegralType = CS::IntegralType; + class SsaVariable = SU::SsaVariable; + + class SsaSourceVariable = Ssa::SourceVariable; -class ConstantIntegerExpr = CU::ConstantIntegerExpr; + class Expr = CS::ControlFlowNodes::ExprNode; -/** Holds if `e` is a bound expression and it is not an SSA variable read. */ -predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) } + class IntegralType = CS::IntegralType; + + class ConstantIntegerExpr = CU::ConstantIntegerExpr; + + /** Holds if `e` is a bound expression and it is not an SSA variable read. */ + predicate interestingExprBound(Expr e) { + CU::systemArrayLengthAccess(e.getExpr()) + } +} diff --git a/java/ql/lib/semmle/code/java/dataflow/Bound.qll b/java/ql/lib/semmle/code/java/dataflow/Bound.qll index a15880208387..0cfe3e9039d2 100644 --- a/java/ql/lib/semmle/code/java/dataflow/Bound.qll +++ b/java/ql/lib/semmle/code/java/dataflow/Bound.qll @@ -8,12 +8,26 @@ private import java as J private import internal.rangeanalysis.BoundSpecific as BoundSpecific private import codeql.rangeanalysis.Bound as SharedBound -module BoundInstantiation = SharedBound::Bound; +private module BoundImpl = SharedBound::Bound; -class Bound = BoundInstantiation::Bound; +/** + * A bound that may be inferred for an expression plus/minus an integer delta. + */ +class Bound = BoundImpl::Bound; -class ZeroBound = BoundInstantiation::ZeroBound; +/** + * The bound that corresponds to the integer 0. This is used to represent all + * integer bounds as bounds are always accompanied by an added integer delta. + */ +class ZeroBound = BoundImpl::ZeroBound; -class SsaBound = BoundInstantiation::SsaBound; +/** + * A bound corresponding to the value of an SSA variable. + */ +class SsaBound = BoundImpl::SsaBound; -class ExprBound = BoundInstantiation::ExprBound; \ No newline at end of file +/** + * A bound that corresponds to the value of a specific expression that might be + * interesting, but isn't otherwise represented by the value of an SSA variable. + */ +class ExprBound = BoundImpl::ExprBound; \ No newline at end of file From cc12740c0e55379ddfdb57be1f62f9322fa06927 Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Wed, 27 May 2026 17:41:44 +0200 Subject: [PATCH 03/10] remove check for files in sync --- config/identical-files.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/identical-files.json b/config/identical-files.json index 8a5c00a49f88..818f033e4db5 100644 --- a/config/identical-files.json +++ b/config/identical-files.json @@ -11,10 +11,6 @@ "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll", "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll" ], - "Bound Java/C#": [ - "java/ql/lib/semmle/code/java/dataflow/Bound.qll", - "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll" - ], "ModulusAnalysis Java/C#": [ "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll", "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll" From 71a363545a1e4e5829bdcab45389adc028a65720 Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 15:21:39 +0200 Subject: [PATCH 04/10] formatting --- .../lib/semmle/code/csharp/dataflow/Bound.qll | 22 +---- .../internal/rangeanalysis/BoundSpecific.qll | 20 ++-- .../lib/semmle/code/java/dataflow/Bound.qll | 22 +---- .../internal/rangeanalysis/BoundSpecific.qll | 2 +- .../codeql/rangeanalysis/Bound.qll | 95 ++++++++++--------- 5 files changed, 61 insertions(+), 100 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll index b37222c1daa8..c08e2e1c0d40 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll @@ -11,24 +11,4 @@ private import codeql.rangeanalysis.Bound as SharedBound private module BoundImpl = SharedBound::Bound; -/** - * A bound that may be inferred for an expression plus/minus an integer delta. - */ -class Bound = BoundImpl::Bound; - -/** - * The bound that corresponds to the integer 0. This is used to represent all - * integer bounds as bounds are always accompanied by an added integer delta. - */ -class ZeroBound = BoundImpl::ZeroBound; - -/** - * A bound corresponding to the value of an SSA variable. - */ -class SsaBound = BoundImpl::SsaBound; - -/** - * A bound that corresponds to the value of a specific expression that might be - * interesting, but isn't otherwise represented by the value of an SSA variable. - */ -class ExprBound = BoundImpl::ExprBound; \ No newline at end of file +import BoundImpl diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll index 069f0034eed0..9d36d6a81b58 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll @@ -10,23 +10,19 @@ private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU private import codeql.rangeanalysis.Bound as SharedBound /** Holds if `e` is a bound expression and it is not an SSA variable read. */ - - module BoundDefs implements SharedBound::BoundDefinitions { - class Type = CS::Type; + class Type = CS::Type; + + class SsaVariable = SU::SsaVariable; - class SsaVariable = SU::SsaVariable; - - class SsaSourceVariable = Ssa::SourceVariable; + class SsaSourceVariable = Ssa::SourceVariable; - class Expr = CS::ControlFlowNodes::ExprNode; + class Expr = CS::ControlFlowNodes::ExprNode; - class IntegralType = CS::IntegralType; + class IntegralType = CS::IntegralType; - class ConstantIntegerExpr = CU::ConstantIntegerExpr; + class ConstantIntegerExpr = CU::ConstantIntegerExpr; /** Holds if `e` is a bound expression and it is not an SSA variable read. */ - predicate interestingExprBound(Expr e) { - CU::systemArrayLengthAccess(e.getExpr()) - } + predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) } } diff --git a/java/ql/lib/semmle/code/java/dataflow/Bound.qll b/java/ql/lib/semmle/code/java/dataflow/Bound.qll index 0cfe3e9039d2..f82afcd17e4f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/Bound.qll +++ b/java/ql/lib/semmle/code/java/dataflow/Bound.qll @@ -10,24 +10,4 @@ private import codeql.rangeanalysis.Bound as SharedBound private module BoundImpl = SharedBound::Bound; -/** - * A bound that may be inferred for an expression plus/minus an integer delta. - */ -class Bound = BoundImpl::Bound; - -/** - * The bound that corresponds to the integer 0. This is used to represent all - * integer bounds as bounds are always accompanied by an added integer delta. - */ -class ZeroBound = BoundImpl::ZeroBound; - -/** - * A bound corresponding to the value of an SSA variable. - */ -class SsaBound = BoundImpl::SsaBound; - -/** - * A bound that corresponds to the value of a specific expression that might be - * interesting, but isn't otherwise represented by the value of an SSA variable. - */ -class ExprBound = BoundImpl::ExprBound; \ No newline at end of file +import BoundImpl diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll index ba2f8027b30f..5435eeb44927 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll @@ -29,4 +29,4 @@ module BoundDefs implements SharedBound::BoundDefinitions { predicate interestingExprBound(Expr e) { e.(J::FieldRead).getField() instanceof J::ArrayLengthField } -} \ No newline at end of file +} diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll index 10ef74d40010..af44e6927454 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -5,48 +5,53 @@ private import codeql.util.Location signature module BoundDefinitions { - class Type; - class IntegralType extends Type; + class Type; - class ConstantIntegerExpr extends Expr { - int getIntValue(); - } + class IntegralType extends Type; - class SsaSourceVariable { - Type getType(); - } + class ConstantIntegerExpr extends Expr { + int getIntValue(); + } - class SsaVariable { - SsaSourceVariable getSourceVariable(); - string toString(); - Location getLocation(); - Expr getAUse(); - } + class SsaSourceVariable { + Type getType(); + } - class Expr { - string toString(); - Location getLocation(); - } + class SsaVariable { + SsaSourceVariable getSourceVariable(); + + string toString(); + + Location getLocation(); + + Expr getAUse(); + } - predicate interestingExprBound(Expr e); + class Expr { + string toString(); + + Location getLocation(); + } + + predicate interestingExprBound(Expr e); } overlay[local?] module Bound Defs> { - private import Defs + private import Defs - private newtype TBound = + private newtype TBound = TBoundZero() or TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or TBoundExpr(Expr e) { - interestingExprBound(e) and - not exists(SsaVariable v | e = v.getAUse()) + interestingExprBound(e) and + not exists(SsaVariable v | e = v.getAUse()) } - /** - * A bound that may be inferred for an expression plus/minus an integer delta. - */ - abstract class Bound extends TBound { + /** + * A bound that may be inferred for an expression plus/minus an integer delta. + */ + abstract class Bound extends TBound { /** Gets a textual representation of this bound. */ abstract string toString(); @@ -58,24 +63,24 @@ module Bound Defs> { /** Gets the location of this bound. */ abstract Location getLocation(); - } + } - /** - * The bound that corresponds to the integer 0. This is used to represent all - * integer bounds as bounds are always accompanied by an added integer delta. - */ - class ZeroBound extends Bound, TBoundZero { + /** + * The bound that corresponds to the integer 0. This is used to represent all + * integer bounds as bounds are always accompanied by an added integer delta. + */ + class ZeroBound extends Bound, TBoundZero { override string toString() { result = "0" } override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta } override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) } - } + } - /** - * A bound corresponding to the value of an SSA variable. - */ - class SsaBound extends Bound, TBoundSsa { + /** + * A bound corresponding to the value of an SSA variable. + */ + class SsaBound extends Bound, TBoundSsa { /** Gets the SSA variable that equals this bound. */ SsaVariable getSsa() { this = TBoundSsa(result) } @@ -84,17 +89,17 @@ module Bound Defs> { override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 } override Location getLocation() { result = this.getSsa().getLocation() } - } + } - /** - * A bound that corresponds to the value of a specific expression that might be - * interesting, but isn't otherwise represented by the value of an SSA variable. - */ - class ExprBound extends Bound, TBoundExpr { + /** + * A bound that corresponds to the value of a specific expression that might be + * interesting, but isn't otherwise represented by the value of an SSA variable. + */ + class ExprBound extends Bound, TBoundExpr { override string toString() { result = this.getExpr().toString() } override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 } override Location getLocation() { result = this.getExpr().getLocation() } - } + } } From d1226b71de156cc4f7fae5cb3e7a622934d9fae6 Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 15:46:52 +0200 Subject: [PATCH 05/10] formatting --- shared/rangeanalysis/codeql/rangeanalysis/Bound.qll | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll index af44e6927454..de3aba8781f8 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -1,7 +1,3 @@ -/** - * Provides classes for representing abstract bounds for use in, for example, range analysis. - */ - private import codeql.util.Location signature module BoundDefinitions { @@ -36,6 +32,7 @@ signature module BoundDefinitions { predicate interestingExprBound(Expr e); } +/** Provides classes for representing abstract bounds for use in, for example, range analysis. */ overlay[local?] module Bound Defs> { private import Defs From c1c9287535857dc0db2c56dcbd485425c5806bdd Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 15:48:26 +0200 Subject: [PATCH 06/10] restore file header --- shared/rangeanalysis/codeql/rangeanalysis/Bound.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll index de3aba8781f8..13a3132c283c 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -1,3 +1,9 @@ +/** + * Provides classes for representing abstract bounds for use in, for example, range analysis. + */ +overlay[local?] +module; + private import codeql.util.Location signature module BoundDefinitions { From fa63dad1d16874e3ee478763cdcf360fa42e096b Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 18:16:51 +0200 Subject: [PATCH 07/10] change note --- shared/rangeanalysis/change-notes/released/1.0.52.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 shared/rangeanalysis/change-notes/released/1.0.52.md diff --git a/shared/rangeanalysis/change-notes/released/1.0.52.md b/shared/rangeanalysis/change-notes/released/1.0.52.md new file mode 100644 index 000000000000..a91f5a8025d3 --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. From c610af88d3518b858bb74e16d396147f0af31b0e Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 18:18:37 +0200 Subject: [PATCH 08/10] fix comment and add overlay[local?] --- .../csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll index 9d36d6a81b58..cbf395c24f47 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll @@ -1,6 +1,8 @@ /** * Provides C#-specific definitions for bounds. */ +overlay[local?] +module; private import csharp as CS private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa @@ -9,7 +11,7 @@ private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU private import codeql.rangeanalysis.Bound as SharedBound -/** Holds if `e` is a bound expression and it is not an SSA variable read. */ +/** Provides C#-specific definitions for bounds. */ module BoundDefs implements SharedBound::BoundDefinitions { class Type = CS::Type; From 2a3cff382c4ffa044637d601a1e5946dd05ab87a Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Mon, 1 Jun 2026 18:20:50 +0200 Subject: [PATCH 09/10] more specific comment --- shared/rangeanalysis/codeql/rangeanalysis/Bound.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll index 13a3132c283c..a39871000d91 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -38,7 +38,9 @@ signature module BoundDefinitions { predicate interestingExprBound(Expr e); } -/** Provides classes for representing abstract bounds for use in, for example, range analysis. */ +/** Provides classes for representing abstract bounds for use in, for example, range analysis. + * This is a generic implementation of bounds that relies on language specific modules to provide language-specific definitions of expressions, SSA variables, etc. +*/ overlay[local?] module Bound Defs> { private import Defs From 566a92e55519bdad0fab656cb44edcd8e8837ffd Mon Sep 17 00:00:00 2001 From: BazookaMusic Date: Tue, 2 Jun 2026 10:41:10 +0200 Subject: [PATCH 10/10] formatting again --- shared/rangeanalysis/codeql/rangeanalysis/Bound.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll index a39871000d91..353cb94064b4 100644 --- a/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll +++ b/shared/rangeanalysis/codeql/rangeanalysis/Bound.qll @@ -38,9 +38,10 @@ signature module BoundDefinitions { predicate interestingExprBound(Expr e); } -/** Provides classes for representing abstract bounds for use in, for example, range analysis. +/** + * Provides classes for representing abstract bounds for use in, for example, range analysis. * This is a generic implementation of bounds that relies on language specific modules to provide language-specific definitions of expressions, SSA variables, etc. -*/ + */ overlay[local?] module Bound Defs> { private import Defs