github · rdmarsh2 · May 15, 2019 · Apr 30, 2019 · Apr 30, 2019 · May 1, 2019
diff --git a/change-notes/1.21/analysis-cpp.md b/change-notes/1.21/analysis-cpp.md
@@ -30,6 +30,8 @@
 | `()`-declared function called with too many arguments (`cpp/futile-params`) | Improved coverage | Query has been generalized to find all cases where the number of arguments exceedes the number of parameters of the function, provided the function is also properly declared/defined elsewhere. |
 
 ## Changes to QL libraries
+- The predicate `Declaration.hasGlobalName` now only holds for declarations that are not nested in a class. For example, it no longer holds for a member function `MyClass::myFunction` or a constructor `MyClass::MyClass`, whereas previously it would classify those two declarations as global names.
+- In class `Declaration`, predicates `getQualifiedName/0` and `hasQualifiedName/1` are no longer recommended for finding functions by name. Instead, use `hasGlobalName/1` and the new `hasQualifiedName/2` and `hasQualifiedName/3` predicates. This improves performance and makes it more reliable to identify names involving templates.
 - Additional support for definition by reference has been added to the `semmle.code.cpp.dataflow.TaintTracking` library.
     - The taint tracking library now includes taint-specific edges for functions modeled in `semmle.code.cpp.models.interfaces.DataFlow`.
     - The taint tracking library adds flow through library functions that are modeled in `semmle.code.cpp.models.interfaces.Taint`. Queries can add subclasses of `TaintFunction` to specify additional flow.

diff --git a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
 import Negativity
 
 predicate closeCall(FunctionCall fc, Variable v) {
-  fc.getTarget().hasQualifiedName("close") and v.getAnAccess() = fc.getArgument(0)
+  fc.getTarget().hasGlobalName("close") and v.getAnAccess() = fc.getArgument(0)
   or
   exists(FunctionCall midcall, Function mid, int arg |
     fc.getArgument(arg) = v.getAnAccess() and

diff --git a/cpp/ql/src/Critical/DescriptorNeverClosed.ql b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
 
 predicate closed(Expr e) {
   exists(FunctionCall fc |
-    fc.getTarget().hasQualifiedName("close") and
+    fc.getTarget().hasGlobalName("close") and
     fc.getArgument(0) = e
   )
 }

diff --git a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -30,7 +30,7 @@ predicate useFunc(GlobalVariable v, Function f) {
 }
 
 predicate uninitialisedBefore(GlobalVariable v, Function f) {
-  f.hasQualifiedName("main")
+  f.hasGlobalName("main")
   or
   exists(Call call, Function g |
     uninitialisedBefore(v, g) and

diff --git a/cpp/ql/src/Critical/InitialisationNotRun.ql b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -20,7 +20,7 @@ predicate global(GlobalVariable v) {
 }
 
 predicate mainCalled(Function f) {
-  f.getQualifiedName() = "main"
+  f.hasGlobalName("main")
   or
   exists(Function caller | mainCalled(caller) and allCalls(caller, f))
 }

diff --git a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -55,7 +55,7 @@ predicate allocCallOrIndirect(Expr e) {
  * can cause memory leaks.
  */
 predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode verified) {
-  reallocCall.getTarget().hasQualifiedName("realloc") and
+  reallocCall.getTarget().hasGlobalName("realloc") and
   reallocCall.getArgument(0) = v.getAnAccess() and
   (
     exists(Variable newV, ControlFlowNode node |
@@ -82,7 +82,7 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
 predicate freeCallOrIndirect(ControlFlowNode n, Variable v) {
   // direct free call
   freeCall(n, v.getAnAccess()) and
-  not n.(FunctionCall).getTarget().hasQualifiedName("realloc")
+  not n.(FunctionCall).getTarget().hasGlobalName("realloc")
   or
   // verified realloc call
   verifiedRealloc(_, v, n)

diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -14,8 +14,8 @@ import cpp
 
 class MallocCall extends FunctionCall {
   MallocCall() {
-    this.getTarget().hasQualifiedName("malloc") or
-    this.getTarget().hasQualifiedName("std::malloc")
+    this.getTarget().hasGlobalName("malloc") or
+    this.getTarget().hasQualifiedName("std", "malloc")
   }
 
   Expr getAllocatedSize() {
@@ -36,12 +36,12 @@ predicate spaceProblem(FunctionCall append, string msg) {
     malloc.getAllocatedSize() = add and
     buffer.getAnAccess() = strlen.getStringExpr() and
     (
-      insert.getTarget().hasQualifiedName("strcpy") or
-      insert.getTarget().hasQualifiedName("strncpy")
+      insert.getTarget().hasGlobalName("strcpy") or
+      insert.getTarget().hasGlobalName("strncpy")
     ) and
     (
-      append.getTarget().hasQualifiedName("strcat") or
-      append.getTarget().hasQualifiedName("strncat")
+      append.getTarget().hasGlobalName("strcat") or
+      append.getTarget().hasGlobalName("strncat")
     ) and
     malloc.getASuccessor+() = insert and
     insert.getArgument(1) = buffer.getAnAccess() and

diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -25,7 +25,7 @@ import semmle.code.cpp.security.TaintTracking
 predicate sourceSized(FunctionCall fc, Expr src) {
   exists(string name |
     (name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
-    fc.getTarget().hasQualifiedName(name)
+    fc.getTarget().hasGlobalName(name)
   ) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and

diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -59,21 +59,21 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
 }
 
 predicate bufferAndSizeFunction(Function f, int buf, int size) {
-  f.hasQualifiedName("read") and buf = 1 and size = 2
+  f.hasGlobalName("read") and buf = 1 and size = 2
   or
-  f.hasQualifiedName("fgets") and buf = 0 and size = 1
+  f.hasGlobalName("fgets") and buf = 0 and size = 1
   or
-  f.hasQualifiedName("strncpy") and buf = 0 and size = 2
+  f.hasGlobalName("strncpy") and buf = 0 and size = 2
   or
-  f.hasQualifiedName("strncat") and buf = 0 and size = 2
+  f.hasGlobalName("strncat") and buf = 0 and size = 2
   or
-  f.hasQualifiedName("memcpy") and buf = 0 and size = 2
+  f.hasGlobalName("memcpy") and buf = 0 and size = 2
   or
-  f.hasQualifiedName("memmove") and buf = 0 and size = 2
+  f.hasGlobalName("memmove") and buf = 0 and size = 2
   or
-  f.hasQualifiedName("snprintf") and buf = 0 and size = 1
+  f.hasGlobalName("snprintf") and buf = 0 and size = 1
   or
-  f.hasQualifiedName("vsnprintf") and buf = 0 and size = 1
+  f.hasGlobalName("vsnprintf") and buf = 0 and size = 1
 }
 
 class CallWithBufferSize extends FunctionCall {

diff --git a/cpp/ql/src/Critical/SizeCheck.ql b/cpp/ql/src/Critical/SizeCheck.ql
@@ -17,12 +17,12 @@ import cpp
 class Allocation extends FunctionCall {
   Allocation() {
     exists(string name |
-      this.getTarget().hasQualifiedName(name) and
+      this.getTarget().hasGlobalName(name) and
       (name = "malloc" or name = "calloc" or name = "realloc")
     )
   }
 
-  string getName() { result = this.getTarget().getQualifiedName() }
+  private string getName() { this.getTarget().hasGlobalName(result) }
 
   int getSize() {
     this.getName() = "malloc" and

diff --git a/cpp/ql/src/Critical/SizeCheck2.ql b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -17,12 +17,12 @@ import cpp
 class Allocation extends FunctionCall {
   Allocation() {
     exists(string name |
-      this.getTarget().hasQualifiedName(name) and
+      this.getTarget().hasGlobalName(name) and
       (name = "malloc" or name = "calloc" or name = "realloc")
     )
   }
 
-  string getName() { result = this.getTarget().getQualifiedName() }
+  private string getName() { this.getTarget().hasGlobalName(result) }
 
   int getSize() {
     this.getName() = "malloc" and

diff --git a/cpp/ql/src/Critical/UseAfterFree.ql b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -16,7 +16,7 @@ import semmle.code.cpp.controlflow.LocalScopeVariableReachability
 predicate isFreeExpr(Expr e, LocalScopeVariable v) {
   exists(VariableAccess va | va.getTarget() = v |
     exists(FunctionCall fc | fc = e |
-      fc.getTarget().hasQualifiedName("free") and
+      fc.getTarget().hasGlobalName("free") and
       va = fc.getArgument(0)
     )
     or

diff --git a/cpp/ql/src/DefaultOptions.qll b/cpp/ql/src/DefaultOptions.qll
@@ -32,7 +32,7 @@ class Options extends string
    */
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
-    call.(FunctionCall).getTarget().hasQualifiedName("Xstrdup")
+    call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
     or
     CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
@@ -46,7 +46,7 @@ class Options extends string
    */
   predicate returnsNull(Call call) {
     // Used in CVS:
-    call.(FunctionCall).getTarget().hasQualifiedName("Xstrdup") and
+    call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
     or
     CustomOptions::returnsNull(call) // old Options.qll
@@ -61,7 +61,7 @@ class Options extends string
    */
   predicate exits(Function f) {
     f.getAnAttribute().hasName("noreturn") or
-    exists(string name | f.getQualifiedName() = name |
+    exists(string name | f.hasGlobalName(name) |
       name = "exit" or
       name = "_exit" or
       name = "abort" or
@@ -92,7 +92,7 @@ class Options extends string
    * By default holds only for `fgets`.
    */
   predicate alwaysCheckReturnValue(Function f) {
-    f.hasQualifiedName("fgets") or
+    f.hasGlobalName("fgets") or
     CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
   }
 
@@ -108,7 +108,7 @@ class Options extends string
     fc.isInMacroExpansion()
     or
     // common way of sleeping using select:
-    (fc.getTarget().hasQualifiedName("select") and
+    (fc.getTarget().hasGlobalName("select") and
      fc.getArgument(0).getValue() = "0")
     or
     CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
@@ -58,11 +58,11 @@ predicate refToStdString(Expr e, ConstructorCall source) {
  * will also become invalid.
  */
 predicate flowFunction(Function fcn, int argIndex) {
-  (fcn.getQualifiedName() = "_JNIEnv::NewStringUTF" and argIndex = 0)
+  (fcn.hasQualifiedName("", "_JNIEnv", "NewStringUTF") and argIndex = 0)
   or
-  (fcn.getQualifiedName() = "art::JNI::NewStringUTF" and argIndex = 1)
+  (fcn.hasQualifiedName("art", "JNI", "NewStringUTF") and argIndex = 1)
   or
-  (fcn.getQualifiedName() = "art::CheckJNI::NewStringUTF" and argIndex = 1)
+  (fcn.hasQualifiedName("art", "CheckJNI", "NewStringUTF") and argIndex = 1)
 
   // Add other functions that behave like NewStringUTF here.
 }

diff --git a/cpp/ql/src/Metrics/Files/FNumberOfTests.ql b/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
@@ -13,13 +13,10 @@ import cpp
 
 Expr getTest() {
     // cppunit tests; https://freedesktop.org/wiki/Software/cppunit/
-    exists(Function f | result.(FunctionCall).getTarget() = f
-                    and f.getNamespace().getName() = "CppUnit"
-                    and f.getName() = "addTest")
+    result.(FunctionCall).getTarget().hasQualifiedName("CppUnit", _, "addTest")
     or
     // boost tests; http://www.boost.org/
-    exists(Function f | result.(FunctionCall).getTarget() = f
-                    and f.getQualifiedName() = "boost::unit_test::make_test_case")
+    result.(FunctionCall).getTarget().hasQualifiedName("boost::unit_test", "make_test_case")
 }
 
 from File f, int n

diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -23,7 +23,7 @@ import semmle.code.cpp.security.TaintTracking
  */
 class FileFunction extends FunctionWithWrappers {
   FileFunction() {
-    exists(string nme | this.getQualifiedName() = nme |
+    exists(string nme | this.hasGlobalName(nme) |
       nme = "fopen" or
       nme = "_fopen" or
       nme = "_wfopen" or
@@ -32,10 +32,7 @@ class FileFunction extends FunctionWithWrappers {
       nme = "_wopen" or
 
       // create file function on windows
-      nme.matches("CreateFile%") or
-
-      // Objective C standard library
-      nme.matches("NSFileHandle%::+fileHandleFor%AtPath:")
+      nme.matches("CreateFile%")
     )
     or
     (

diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -16,8 +16,8 @@ import semmle.code.cpp.security.TaintTracking
 /** A call that prints its arguments to `stdout`. */
 class PrintStdoutCall extends FunctionCall {
   PrintStdoutCall() {
-    getTarget().hasQualifiedName("puts") or
-    getTarget().hasQualifiedName("printf")
+    getTarget().hasGlobalName("puts") or
+    getTarget().hasGlobalName("printf")
   }
 }
 

diff --git a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -73,9 +73,9 @@ class VarargsFunction extends Function {
   }
 
   predicate isWhitelisted() {
-    this.hasQualifiedName("open") or
-    this.hasQualifiedName("fcntl") or
-    this.hasQualifiedName("ptrace")
+    this.hasGlobalName("open") or
+    this.hasGlobalName("fcntl") or
+    this.hasGlobalName("ptrace")
   }
 }
 

diff --git a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -18,8 +18,8 @@ import cpp
 class MallocCall extends FunctionCall
 {
   MallocCall() {
-  	this.getTarget().hasQualifiedName("malloc") or
-  	this.getTarget().hasQualifiedName("std::malloc")
+  	this.getTarget().hasGlobalName("malloc") or
+  	this.getTarget().hasQualifiedName("std", "malloc")
   }
 
   Expr getAllocatedSize() {

diff --git a/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql b/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
@@ -12,7 +12,7 @@
 import cpp
 
 predicate potentiallyDangerousFunction(Function f, string message) {
-  exists(string name | name = f.getQualifiedName() |
+  exists(string name | f.hasGlobalName(name) |
     (
       name = "gmtime" or
       name = "localtime" or
@@ -21,7 +21,7 @@ predicate potentiallyDangerousFunction(Function f, string message) {
     ) and
     message = "Call to " + name + " is potentially dangerous"
   ) or (
-    f.getQualifiedName() = "gets" and
+    f.hasGlobalName("gets") and
     message = "gets does not guard against buffer overflow"
   )
 }

diff --git a/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql b/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
@@ -21,7 +21,7 @@ predicate acquireExpr(Expr acquire, string kind) {
   exists(FunctionCall fc, Function f, string name |
     fc = acquire and
     f = fc.getTarget() and
-    name = f.getQualifiedName() and 
+    f.hasGlobalName(name) and 
     (
       (
         name = "fopen" and
@@ -47,7 +47,7 @@ predicate releaseExpr(Expr release, Expr resource, string kind) {
   exists(FunctionCall fc, Function f, string name |
     fc = release and
     f = fc.getTarget() and
-    name = f.getQualifiedName() and 
+    f.hasGlobalName(name) and 
     (
       (
         name = "fclose" and
@@ -252,7 +252,7 @@ pragma[noopt] predicate badRelease(Resource r, Expr acquire, Function functionCa
   )
 }
 
-Class qtObject() { result.getABaseClass*().getQualifiedName() = "QObject" }
+Class qtObject() { result.getABaseClass*().hasGlobalName("QObject") }
 PointerType qtObjectReference() { result.getBaseType() = qtObject() }
 Constructor qtParentConstructor() {
   exists(Parameter p |