Fix models for min and max and improve tests

owen-mc · owen-mc · commit dc4cbf232599 · 2024-05-14T12:40:24.000+01:00
Although the documentation makes them look variadic (and generic), they
are actually special-cased in the compiler. Like all built-in functions
they don't have a signature type, but the type of `min(a, b, c)` is
`func(int, int, int) int` and not `func(int, ...int) int`.

Go doesn't allow open-ended ranges for argument indices in
models-as-data specifications (though Ruby and Python do), so I've used
`1..1000`.
diff --git a/go/ql/lib/ext/builtin.model.yml b/go/ql/lib/ext/builtin.model.yml
@@ -6,7 +6,5 @@ extensions:
       - ["", "", False, "append", "", "", "Argument[0].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
       - ["", "", False, "append", "", "", "Argument[1].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
       - ["", "", False, "copy", "", "", "Argument[1].ArrayElement", "Argument[0].ArrayElement", "value", "manual"]
-      - ["", "", False, "max", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "max", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "min", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "min", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "max", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "min", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
@@ -34,3 +34,9 @@ invalidModelRow
 | test.go:170:17:170:20 | arg1 | qltest |
 | test.go:170:23:170:26 | arg2 | qltest |
 | test.go:170:29:170:32 | arg3 | qltest |
+| test.go:172:10:172:23 | call to max | qltest |
+| test.go:173:10:173:23 | call to max | qltest |
+| test.go:174:10:174:23 | call to max | qltest |
+| test.go:175:10:175:23 | call to min | qltest |
+| test.go:176:10:176:23 | call to min | qltest |
+| test.go:177:10:177:23 | call to min | qltest |
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
@@ -14,3 +14,21 @@ invalidModelRow
 | test.go:74:13:74:25 | type assertion | test.go:74:12:74:40 | call to StepQualRes |
 | test.go:78:3:78:15 | type assertion | test.go:77:6:77:11 | definition of taint6 |
 | test.go:81:34:81:36 | src | test.go:81:12:81:37 | call to StepArgResNoQual |
+| test.go:172:14:172:16 | src | test.go:172:10:172:23 | call to max |
+| test.go:172:19:172:19 | 0 | test.go:172:10:172:23 | call to max |
+| test.go:172:22:172:22 | 1 | test.go:172:10:172:23 | call to max |
+| test.go:173:14:173:14 | 0 | test.go:173:10:173:23 | call to max |
+| test.go:173:17:173:19 | src | test.go:173:10:173:23 | call to max |
+| test.go:173:22:173:22 | 1 | test.go:173:10:173:23 | call to max |
+| test.go:174:14:174:14 | 0 | test.go:174:10:174:23 | call to max |
+| test.go:174:17:174:17 | 1 | test.go:174:10:174:23 | call to max |
+| test.go:174:20:174:22 | src | test.go:174:10:174:23 | call to max |
+| test.go:175:14:175:16 | src | test.go:175:10:175:23 | call to min |
+| test.go:175:19:175:19 | 0 | test.go:175:10:175:23 | call to min |
+| test.go:175:22:175:22 | 1 | test.go:175:10:175:23 | call to min |
+| test.go:176:14:176:14 | 0 | test.go:176:10:176:23 | call to min |
+| test.go:176:17:176:19 | src | test.go:176:10:176:23 | call to min |
+| test.go:176:22:176:22 | 1 | test.go:176:10:176:23 | call to min |
+| test.go:177:14:177:14 | 0 | test.go:177:10:177:23 | call to min |
+| test.go:177:17:177:17 | 1 | test.go:177:10:177:23 | call to min |
+| test.go:177:20:177:22 | src | test.go:177:10:177:23 | call to min |
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
@@ -168,4 +168,11 @@ func simpleflow() {
 	arg3 := src
 	arg4 := src
 	b.SinkManyArgs(arg1, arg2, arg3, arg4) // $ hasValueFlow="arg1" hasValueFlow="arg2" hasValueFlow="arg3"
+
+	b.Sink1(max(src, 0, 1)) // $ hasValueFlow="call to max"
+	b.Sink1(max(0, src, 1)) // $ hasValueFlow="call to max"
+	b.Sink1(max(0, 1, src)) // $ hasValueFlow="call to max"
+	b.Sink1(min(src, 0, 1)) // $ hasValueFlow="call to min"
+	b.Sink1(min(0, src, 1)) // $ hasValueFlow="call to min"
+	b.Sink1(min(0, 1, src)) // $ hasValueFlow="call to min"
 }
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
@@ -127,10 +127,12 @@
 | main.go:64:7:64:18 | call to min | main.go:64:2:64:2 | definition of a |
 | main.go:64:11:64:11 | x | main.go:64:7:64:18 | call to min |
 | main.go:64:14:64:14 | y | main.go:64:7:64:18 | call to min |
+| main.go:64:17:64:17 | z | main.go:64:7:64:18 | call to min |
 | main.go:65:2:65:2 | definition of b | main.go:66:12:66:12 | b |
 | main.go:65:7:65:18 | call to max | main.go:65:2:65:2 | definition of b |
 | main.go:65:11:65:11 | x | main.go:65:7:65:18 | call to max |
 | main.go:65:14:65:14 | y | main.go:65:7:65:18 | call to max |
+| main.go:65:17:65:17 | z | main.go:65:7:65:18 | call to max |
 | strings.go:8:12:8:12 | argument corresponding to s | strings.go:8:12:8:12 | definition of s |
 | strings.go:8:12:8:12 | definition of s | strings.go:9:24:9:24 | s |
 | strings.go:8:12:8:12 | definition of s | strings.go:10:27:10:27 | s |
